Research and Innovation OSINT Digest 251015
ABOUT:
This is our digest of recent security incidents spanning the full spectrum of threats – cyber, physical, personnel – to Higher Education Institutions (HEIs), research, and innovation.
The information is open source only and this digest is produced for information only.
An interactive map depicting historic incident data can be found here.
EXECUTIVE SUMMARY:
In September 2025, SECURED observed 21 security incidents affecting HEIs from open-source data, a 16.0% decrease on August 2025. Of these incidents, 66.7% were cyber, 19.0% hybrid, and 14.3% physical. Security incidents recorded in September 2025 underline that cyber threats remain the most significant risk facing HEIs.
September 2025 saw cyber events decrease by 30% compared to August 2025 (from 20 to 14 incidents). We assess this reflects variation in reporting rather than a meaningful decrease in the overall threat level. Despite the lower number of reported cyber incidents, September data indicates evolving cyber criminal tactics, as malicious actors increasingly target third-party suppliers and create campaigns targeting specific demographic groups.
Leaked documents relating to two Chinese cybersecurity firms reveal a complex ecosystem in which Chinese private and academic sectors are incentivised to commercialise Chinese state surveillance. HEIs collaborating with Chinese partners on AI, data analytics, and other hi-tech fields face heightened risk of academic co-option, data exposure, and reputational harm amid the ongoing US-China technological and trade rivalry.
At Tyburn St Raphael, we specialise at countering threats to cutting-edge research and innovation.
We are experts in providing travel security assessments and strengthening organisational security posture to protect intellectual property.
TYBURN Recommendations:
Assess cyber resilience of critical suppliers
Cyber incidents in September highlighted how criminals are using supply chains to attack HEIs. Institutions should prioritise assessments of their supply chains and incident response plans in the event of attacks on critical suppliers.
Evaluate and stress-test incident response management plans
Incidents in September 2025 underline the need for HEIs to stress-test physical and digital incident response plans, paying attention to risks that exploit the interface between physical and cyber security. Tabletop exercises and simulations provide an effective and engaging method to evaluate response capabilities, identify gaps, and strengthen overall institutional resilience with guidance from seasoned experts.
Engage external experts to provide open-source intelligence on threats
Security risks are evolving as HEIs face increased targeting by state-level actors using hybrid threat vectors. The shifting geopolitical landscape is transforming previously low-risk partnerships into high-risk exposures. Commercial open-source monitoring capabilities can provide institutions with timely, actionable intelligence to support proactive decision-making and early risk mitigation.
Incident data
Open-source data on security incidents with commentary
Atlanta Neighborhood Charter School - 01/09/2025 - US - Cyber
Event: Multiple ransomware tracking sites reported that on 1 September 2025 the Atlanta Neighbourhood Charter School, a charter school based in the US, experienced a data breach. The sites identify Qilin as the threat actor behind the attack. Details of the attack remain unclear. Link 1 Link 2
Comment: SECURED has been unable to verify this incident.
Dasmesh Punjabi School - 01/09/2025 - Canada - Cyber
Event: Multiple ransomware tracking sites, reported that on 1 September 2025 Dasmesh Punjabi School, a Punjabi language and cultural school based in Canada, experienced a data breach. The sites identify SafePay as the threat actor behind the attack. Details of the attack remain unclear. Link 1 Link 2
Comment: SECURED has been unable to verify this incident.
ESIC University - 01/09/2025 - Spain - Cyber
Event: Multiple ransomware tracking sites, reported that on 1 September 2025 ESIC University, a private business school based in Spain, experienced a data breach. The sites identify Qilin as the threat actor behind the attack. 421GB of data has allegedly been exfiltrated. Link 1 Link 2 Link 3
Comment: Cyber security researchers on X (Twitter) report that an alleged 97,000 files have been stolen, which includes sensitive information of more than 66,000 students, alumni, faculty, and other business operations. Qilin is also reportedly promoting the stolen database as a free download and warning the institution of lawsuits and fines.
Loyola College - 01/09/2025 - Australia - Cyber
Event: Multiple ransomware tracking sites, reported that on 1 September 2025 Loyola College, a co-educational Catholic secondary school based in Australia, experienced a data breach. The sites identify Interlock as the threat actor behind the attack. 591GB of data has allegedly been exfiltrated. Link 1 Link 2 Link 3 Link 4
Comment: The College confirmed the incident after discovering that Interlock had listed the institution as a victim on its darknet leak site. In response, Loyola College initiated a system-wide password reset for all staff, students, and parents. Media reporting indicates that the compromised information contains PII, with leaked excerpts reportedly containing copies of passports of current and past employees, details financial records, tax details, and court orders. This incident underlines the importance of proactive risk management and ongoing cybersecurity monitoring. Once threat actors publish compromised information, organisations effectively lose control of the incident and the surrounding narrative, highlighting the need for rapid containment measures and transparent communication strategies.
University of St Thomas - 04/09/2025 - US - Cyber
Event: Multiple ransomware tracking sites reported that on 4 September 2025 the University of St. Thomas, a private Catholic university based in the US, experienced a data breach. The sites identify INC_RANSOM as the threat actor behind the attack. Link 1 Link 2 Link 3 Link 4
Comment: St Thomas' servers were forced offline as a result of the incident, leading to significant operational disruption for faculty and students. Investigators believe the university's network itself was not compromised; IT systems were shut down as a precautionary measure. Although it remains unconfirmed whether any student or employee data was exfiltrated, a class action lawsuit has already been filed against the university. This incident underlines the serious reputational and legal consequences that can arise from insufficient cybersecurity and incident response measures - issues that are often underestimated until a breach occurs. It highlights the need for proactive risk management, timely communication, and robust contingency planning to minimise both operational and legal fallout in the aftermath of a cyberattack.
Universities in Pakistan - 05/09/2025 - Pakistan - Cyber
Event: A large-scale phishing campaign targeting university website portals has been identified in Pakistan. Links to phishing portals are being disseminated via emails or are appearing in web searches as they attempt to mimic legitimate university login portals. Link 1 Link 2
Comment: Phishing campaigns require minimal resources and can be produced and distributed rapidly at scale. The advent of artificial intelligence has further lowered the barriers for malicious actors, enabling them to create more convincing and targeted phishing content with ease. Despite often being perceived as crude or unsophisticated, phishing remains the most widespread form of cyberattack. According to the UK Cyber Breaches Survey 2025, it continues to be the most prevalent and disruptive type of security breaches faced by UK organisations. HEIs must develop engaging training materials to spread awareness of the signs and dangers of phishing campaigns.
Veeranari Chakali Illama Women's University - 05/09/2025 - Pakistan - Hybrid
Event: Female students at Veeranari Chakali Ilamma Women’s University in Koti reported that their mobile phones had been compromised. Preliminary investigation by cyber authorities indicates that a phishing campaign was launched against female students at the institution. Link 1 Link 2 Link 3
Comment: Media reporting indicates that malicious actors exploited the compromised data to blackmail the students. This incident highlights how phishing campaigns are increasingly being tailored to exploit specific demographic groups, in this case targeting female students. Such attacks not only threaten individual privacy and safety, but also expose broader vulnerabilities in digital awareness and institutional cybersecurity measures. The breach may erode trust in university systems and underlines the need for stronger cyber hygiene education and protective protocols within HEIs.
HEIs in Andalusia - 07/09/2025 - Spain - Cyber
Event: A 21-year-old student in Seville was arrested by Spanish authorities after investigations indicated that they had compromised Seneca, the online platform managing Andalusian students, and altered exam results. The student also allegedly compromised emails for 13 faculty members at multiple institutions and recorded their actions in a notebook. Link 1
Comment: While the actions of the 21-year-old student in this incident do not appear particularly malicious, their actions replicate other malicious activity. Preliminary investigations suggest that the initial compromise was facilitated by social engineering or stolen credentials; common attack vectors for HEIs and similar organisations. This incident underlines the importance of basic cyber hygiene, including the implementation of multifactor authentication and robust monitoring capabilities to detect and mitigate breaches at an early stage.
Umea University - 08/09/2025 - Sweden - Cyber
Event: On 8 September 2025, Umea University announced that Miljodata, a vendor which supplies a support system used by the University, was subject to a cyberattack. Personal data belonging to all current and some former employees of Umea University has been compromised, including names, personal identification numbers, contact details, and other PII. The threat actor has leaked some of the breached data to the darkweb. Umea University is continuing its investigation and has provided guidance to affected individuals. Link 1 Link 2 Link 3
Comment: This incident emphasises the fragility of interconnected digital supply chains. While this incident did not directly target a HEI, it has significantly expanded the institution's exposure by leading to the compromise of its current and former employees' PII. The incident highlights evolving tactics in the cyber threat landscape, as malicious actors increasingly target supply chains and vendors to attack primary targets. HEIs must increasingly look beyond securing their internal systems and assess and harden the security posture of their external partners, particularly given the sensitivity of HEI’s data.
Utah Valley University - 10/09/2025 - US - Cyber
Event: On 10 September 2025, conservative commentator Charlie Kirk was assassinated during a public event held at Utah Valley University. The event was open-air, with around 3,000 people attending. The shooter fired from a rooftop overlooking the event and was arrested several days after the incident. Link 1 Link 2 Link 3
Comment: The incident has global relevance for HEI’s physical and hybrid security. It highlights the security risks inherent in large outdoor events, especially with high-profile speakers. US institutions will likely re-evaluate how they manage public events with potential political or ideological flashpoints.
Waverly Child Care & Preschool - 11/09/2025 - US - Cyber
Event: Multiple ransomware tracking sites, reported that on 11 September 2025 Waverly Child Care & Preschool, an early education provider based in the US, experienced a data breach. The sites identify SafePay as the threat actor behind the attack. Details about the incident remain unclear. Link 1
Comment: SECURED has been unable to verify this incident.
Princeton University - 13/09/2025 - US - Hybrid
Event: On 9 September 2025, Israeli-Russian researcher and doctoral student at Princeton University Elizabeth Tsurkov was released after being held captive in Baghdad for over two years. Tsurkov, a specialist in conflicts and political groups in Iraq and Syria, had disappeared in Iraq in 2022, with reports indicating that the Kataib Hezbollah were likely responsible. A video of her purportedly confessing to being an Israeli spy was later released, although her family and Princeton university dismissed it as a forced confession. A special operation by US and Iraqi security forces secured her release. Link 1 Link 2 Link 3
Comment: Tsurkov's detention and eventual release highlights the increasing threat posed by detention of researchers as leverage in conflicts. Tsurkov's detention by Kataib Hezbollah reflects how non-state actors and regional powers exploit foreign nationals to exert political pressure on external parties. The forced 'confession' video underscores the role of information manipulation and psychological warfare in shaping public narratives and legitimising unlawful detentions. Researchers operating in volatile regions remain vulnerable as their academic work can be reframed easily by hostile actors as espionage, an exposure elevated by limited institutional security training and protective protocols at most HEIs.
Queen University Belfast - 18/09/2025 - Northern Ireland - Physical
Event: On 18 September 2025, pro-Palestine activists protested at Queen's University Belfast's freshers fair. They carried Palestine flags and placards and chanted 'PSNI off our campus'. There was particular focus on US politician Hilary Clinton's association with the university. The protest disrupted the freshers' event and attracted attention to policing presence on campus. Link 1 Link 2
Comment: Protests, particularly pro-Palestinian protests, continue to disrupt universities' normal operations. They are often conducted during periods of higher stress and importance, such as exam season or graduations, for maximum impact.
University of North Carolina - 19/09/2025 - US - Hybrid
Event: On 18 September 2025, the University of North Carolina initiated a shelter-in-place order and cancelled classes after reports of a gunman on campus premises. Local authorities confirmed that no attacker was found and there was no credible threat to safety, and the shelter-in-place order was lifted. Link 1 Link 2 Link 3
Comment: Local authorities are investigating the sources of information, as hoax calls and swatting incidents have become increasingly common at US institutions in 2025. This event highlights the critical need for swift, effective incident management, particularly the verification of information sources to detect and prevent the spread of mis- and disinformation.
A university in Pennsylvania - 19/09/2025- US - Cyber
Event: On 15 September 2025, Farouk Adekunle Adepoju, a Nigerian citizen residing in the UK, was arrested by UK authorities pursuant to a US request for extradition. US authorities allege that Adepoju remotely compromised a computer belonging to a Pennsylvanian construction company that was performing work for a university in the region and diverted funds meant for the company to a fraudulent account. US authorities report that approximately USD235,266 was stolen and has so far not been recovered. Link 1 Link 2
Comment: This incident underscores the heightened cyber risks faced by HEIs through their third-party contractors and service providers. Malicious actors are increasingly targeting their primary targets through third parties, necessitating stronger supply chain oversight, verification of financial transactions, and stricter cybersecurity standards in institutional partnerships. The incident also highlights the growing effectiveness of cross-border cooperation in combating cyber-enabled financial crimes.
Valparaiso University - 21/09/2025 - US - Cyber
Event: Valparaiso University's IT systems were breached in August 2025 by an unidentified threat actor. Valparaiso has confirmed that investigations indicate that compromised information may include names, social security numbers, financial account information, and other PII. The University is working with affected individuals to provide tailored support. Link 1 Link 2 Link 3
Comment: Valparaiso University faces serious legal, reputational, and financial ramifications as a consequence of the data breach, given the scale and sensitivity of the compromised information. Universities that experience such breaches face the real and immediate prospect of losing funding, partnerships, and exclusion from future research projects, especially from security-conscious partners. HEIs that proactively invest in their security apparatus can demonstrate their intent and suitability as research partners.
KIPP DC Public Schools - 25/09/2025 - US - Cyber
Event: Multiple ransomware tracking sites, reported that on 25 September 2025 KIPP DC Public Schools, a charter school network based in the US, experienced a data breach. The sites identify WorldLeaks as the threat actor behind the attack. Details about the incident remain unclear.
Comment: SECURED has been unable to verify this incident.
Schools in Utah - 25/09/2025 - US - Cyber
Event: An audit report presented to the Legislative Audit Subcommittee in Utah found that schools were not instituting baseline cybersecurity measures and cautioned that future attacks would continue with high success rate unless change was instituted. Link 1 Link 2
Comment: The Utah audit findings underline a broader systemic issue: schools are increasingly attractive targets for cybercriminals due to their relatively low levels of cyber security and the large amounts of sensitive data they hold. US schools are one of the most common victims appearing in HEIs cyber incidents. Schools must invest in baseline cyber hygiene measures, staff training, and adopt a culture of digital risk management. Without such reforms, educational institutions remain highly vulnerable to data breaches, operational disruptions, and reputational damage.
University of Odessa - 26/09/2025 - Ukraine - Hybrid
Event: A report by the press service of the Odessa Regional Prosecutor's Office and the Security Service of Ukraine (SSU) detailed that a 52-year-old faculty member at the University of Odessa has been arrested on suspicion of espionage for Russia. Authorities allege that the faculty member agreed to confidential cooperation with Russian intelligence services from 2014. Link 1 Link 2 Link 3
Comment: This case underlines the persistent threat of foreign intelligence infiltration within HEIs. The allegation that cooperation with Russian intelligence dates back to 2014 highlights the long-term and covert nature of such activities. The incident illustrates the need for universities to implement insider threat awareness programmes, robust vetting, and monitoring processes. Withdrawal of funding is a real and immediate consequence for universities and research institutions perceived to have inadequate research security measures and practices. This risk is particularly pronounced under the Trump administration, which has demonstrated a willingness to cut research funding to US institutions and, by extension, their foreign research partners.
Virginia State University, Hampton University, and other US universities - 01/09/2025 - 30/09/2025 - US - Physical
Event: In September 2025, several historically black colleges and universities, including Virginia State University and Hampton University, received hoax and real threats. This prompted lockdowns, cancellations, and heightened security measures. Although no physical harm was reported, the disturbances caused substantial disruption on campus. Link 1 Link 2 Link 3
Comment: This incident underlines the importance of robust threat verification systems and incident response procedures to respond to such incidents. Even when threats are not credible or physically realised, they impose operational costs and stress on university systems.
Security briefs
Analysis and assessment of ongoing security issues
Chinese companies exploit academic ties to support Chinese state surveillance
Description: Leaked documents from Geedge Networks and GoLaxy, two Chinese private cybersecurity firms, illustrate a complex ecosystem where Chinese private companies are incentivised by the Chinese state to exploit academic ties and commercialise Chinese state surveillance [LINK].
Assessment: Chinese influence and information operations have consistently targeted Western academia as a vehicle to influence wider Western societies. The leaked documents illustrate a system where Chinese companies exploit academic partnerships and research institutions, particularly through ties with the Chinese Academy of Sciences, to legitimate and advance state-directed technologies in AI, data analytics, and censorship. These collaborations blur the line between open research and state control, facilitating the application of technology into authoritarian applications. For HEIs, such linkages heighten risks of academic co-option, data leakage, and reputational harm.
UK universities risk sanctions over pro-Palestianian protests
Description: A spokesperson for the Office for Students (OfS) warned UK universities that the regulator was prepared to issue fines if institutions are deemed to have failed to protect freedom of speech, particularly in the context of pro-Palestinian protests [LINK, LINK].
Assessment: The OfS statement was issued amid planned pro-Palestinian protests following the Manchester synagogue attack on 2 October and the anniversary of the 7 October attacks [LINK, LINK, LINK]. In March 2025, the University of Sussex was fined GBP585,000 after an OfS investigation concluded that it had failed to maintain adequate freedom of speech and academic freedom within its governance policies [LINK]. The regulator’s actions signal increasing expectations from regulators for universities to balance lawful protest with the protection of open debate. Within this environment, HEIs remain at an elevated threat level from rapidly evolving geopolitical developments that can trigger spontaneous campus unrest and online harassment.
China introduces new legislation to attract science graduates
Description: A visa designed to attract graduates of top universities in science, technology, engineering, and mathematics to travel to China will come into effect on 1 October 2025 [LINK, LINK].
Assessment: The Trump administration imposed a new USD100,000 fee on H-1B visa applications in September 2025 [LINK, LINK], effectively restricting the entry of many skilled foreign workers. The Chinese government has responded by introducing the ‘K’ visa, which is designed to attract overseas talent that might have otherwise sought opportunities in the US. The visa is part of broader US-Chinese competition. For HEIs and research institutions, these developments underscore growing geopolitical barriers to academic mobility and collaboration. There is a risk that Western HEIs might lose their ability to attract top talent due to the shifting geopolitical landscape and there is a possibility that the US may implement further sanctions or travel restrictions, limiting Western researchers’ ability to engage with, or apply for, such visa programmes.
Contact us
Secured is a UK-based organisation that provides strategic advisory services to organisations concerned about threats to the security of research, innovation, and investment.
Our security practitioners help entities secure their intellectual property, build operational and financial resilience, and cultivate a positive organisational security culture.
We provide research on the national security implications of emerging technologies as part of our scientific and technical intelligence assessment capability. Recent examples include:
NSIA 2024-25 Report Analysis - analysis of the 2025 UK National Security and Investments Act report and implications for companies falling within its scope.
Chinese malign influence activities affecting UK academia - assessment of a report by the UK-China Transparency (UKCT) charity which portrayed pervasive Chinese influence of UK academia.
Academic researchers exposed to US travel risk - assessment of the increasingly stringent US border practices and its impact on academic researchers travelling to the US.
Security risk from third-party meeting bots - a short article assessing the often overlooked security risks posed by third-party meeting bots intruding into online virtual meetings
Robustness of real-time deep fake technology - assessment of the security risks posed by evolving deep-fake technology and the requirement for more robust detection capabilities.
Stricter cyber incident reporting requirements - a short assessment of regulatory changes which are placing more pressure on organisations’ incident response plans.
Russian cyber intelligence campaign - strategic assessment of the Russian cyber intelligence campaign targeting logistics, tech companies, and supply chains supporting Ukraine.
The Zimmermann Telegram: A Century-Old Case Study for Strategic Communications - provides insight into how strategic communications, intelligence, and security intersect.
Beyond Baselines - highlights the necessity of security certifications that go beyond baseline measures.
Deception can enable private sector initiative - research article published in security and technology journal Binding Hook.
Frontline of defence or Achilles’ heel - article that emphasises that underresourced and overworked IT and security personnel are often defensive vulnerabilities rather than assets.
Cyber incident at Dutch university - assessment of the cyber incident at TU Eindhoven.
US designation of major Chinese companies as military-linked - strategic assessment on the impact and outlook of the US’s designation of major Chinese companies as affiliated with the Chinese People’s Liberation Army.
Secured is part of Tyburn St Raphael Ltd, a boutique security consultancy.
