Iranian hackers resume credential-stealing phishing attacks against universities around the world

An Iranian hacking operation has expanded a global phishing campaign that targets universities in an attempt to steal usernames and passwords.

Dubbed Colbalt Dickens, the campaign was initially detailed in August last year, with researchers at Secureworks blaming cyberattacks targeting universities in 14 countries on a hacking group linked to the Iranian government. The purpose of the attacks is to steal intellectual property, which can either be exploited or sold on for profit.

"This campaign is aimed at accessing academic research that can be applied for economic and other benefits, and is a direct response to sanctions and an exodus of academic talent from Iran to countries where they are able to participate in and benefit from open and collaborative academic research," Allison Wikoff, senior security researcher at Secureworks told ZDNet.  

SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic)  

Nine members of the group have been indicted by the US Department of Justice for conducting cyber-theft campaigns on behalf of the Iranian military – the Islamic Revolutionary Guard Corps – but that hasn't had any impact on the hacking group's operations, because despite these targeted attacks are still taking place.

Now the Secureworks Counter Threat Unit (CTU) has detailed new attacks by Colbalt Dickens, which took place in July and August this year. Over 60 universities in Australia, the United States, the United Kingdom, Canada, Hong Kong, and Switzerland have been targeted in a new global phishing campaign.

Like previous attacks by the group, the phishing emails are based around online library services, claiming the user needs to reactive their account by clicking a link. While previous campaigns used a URL shortener to obscure the web address of the spoofed library login page, this time the attackers are using a spoofed URL that appears to be genuine.

Those who click the link are directed to a web page that looks very similar – or even identical – to the library resource of that university and asked to enter their login credentials, an act which provides their username and password to the attackers. To avoid arousing suspicion, the user is directed to the legitimate version of the site being spoofed after their details are entered.

To help run this latest campaign, Cobalt Dickens registered at least 20 new domains, complete with valid SSL certificates on .ml, .ga, .cf, .gq and .tk domains – all of the malicious domains have been detailed in the full write-up of the attacks.

The group also employs publicly available tools and code taken from GitHub to help conduct the attacks in a way that allows them to avoid using malware, so they can remain undetected by cybersecurity software.

As of September 2019, it's thought that Iranian hackers have targeted at least 380 universities in over 30 countries – with some targeted multiple times – and it's believed the attacks targeting faculty and students will continue.

SEE MORE: Phishing: The most popular brands used to target your data

To help counter the threat of phishing attacks, researchers recommend that universities and educational institutions implement multi-factor authentication.

"While implementing additional security controls like MFA could seem burdensome in environments that value user flexibility and innovation, single-password accounts are insecure. CTU researchers recommend that all organizations protect Internet-facing resources with MFA to mitigate credential-focused threats," said Wikoff.

Universities make an attractive target for cyber attackers because, not only do they contain vast amounts of intellectual property and cutting-edge research, they're also not as heavily regulated as other industries such as finance.

MORE ON CYBER CRIME

• Phishing attacks: Why is email still such an easy target for hackers?
• How to spot a phishing email CNET
• Hackers broke into university networks in just two hours
• Phishing alert: 80% of companies lack DMARC policies to protect against spoofing  TechRepublic
• Phishing attacks: Why we're still losing the battle against phoney emails