Security firm SecureWorks has uncovered a new phishing campaign carried out by COBALT DICKENS APT targeting universities worldwide, it involved sixteen domains hosting more than 300 spoofed websites for 76 universities in 14 countries, including Australia, Canada, China, Israel, Japan, Switzerland, Turkey, the United Kingdom, and the United States.
“SecureWorks Counter Threat Unit™ (CTU) researchers discovered a URL spoofing a login page for a university. Further research into the IP address hosting the spoofed page revealed a broader campaign to steal credentials.” reads the report published by SecureWorks.
“Sixteen domains contained over 300 spoofed websites and login pages for 76 universities located in 14 countries, including Australia, Canada, China, Israel, Japan, Switzerland, Turkey, the United Kingdom, and the United States”
Universities are a privileged target for nation-state actors aimed at stealing intellectual property and cutting-edge projects.
Most of the websites spoofed universities’ online library systems, the attackers were interested in accessing those resources and gather intelligence.
The visitors were displayed login pages, once they have entered their credentials they were redirected to the legitimate websites where they were automatically logged into a valid session or were asked to enter their credentials again.
Many of the domains used by COBALT DICKENS were registered between May and August 2018, most of them resolved to the same IP address and DNS name server.
The attackers shared the same infrastructure used by the COBALT DICKENS group in a previous campaign.
Iranian hacking activity is intensifying in the last years, security firms uncovered the activities of many Iran-linked APT groups.
The US Department of Justice and Department of the Treasury in March announced charges against nine Iranians for alleged involvement in a massive state-sponsored hacking scheme, the hackers hit more than 300 universities and tens of companies in the US and abroad and stole “valuable intellectual property and data.”
According to the Treasury Department, since 2013, the Mabna Institute hit 144 US universities and 176 universities in 21 foreign countries.
Geoffrey Berman, US Attorney for the Southern District of New York revealed that the spear phishing campaign targeted more than 100,000 university professors worldwide and about 8,000 accounts were compromised.
The Iranian hackers exfiltrated 31 terabytes, roughly 15 billion pages of academic projects were stolen.
The hackers also targeted the US Department of Labor, the US Federal Energy Regulatory Commission, and many private and non-governmental organizations.
The sanctions also hit the Mabna Institute, an Iran-based company, that had a critical role in coordinating the attacks on behalf of Iran’s Revolutionary Guards.
“In March 2018, the U.S. Department of Justice indicted the Mabna Institute and nine Iranian nationals in connection with COBALT DICKENS activity occurring between 2013 and 2017.” concludes the report.
“Many threat groups do not change their tactics despite public disclosures, and CTU analysis suggests that COBALT DICKENS may be responsible for the university targeting despite the indictments of some members.”