Security Experts:

Connect with us

Hi, what are you looking for?



Iran-Linked Hackers Again Target Universities

Iran-linked threat actor COBALT DICKENS has launched a new phishing campaign targeting universities around the world, similar to an operation launched in August 2018, Secureworks reveals.

Iran-linked threat actor COBALT DICKENS has launched a new phishing campaign targeting universities around the world, similar to an operation launched in August 2018, Secureworks reveals.

Believed to be associated with the Iranian government, the group targeted websites and login pages for 76 universities in 14 countries last year, and the newly discovered campaign was similarly large.

In July and August 2019, the phishing operation launched by COBALT DICKENS targeted over 60 universities in Australia, the United States, the United Kingdom, Canada, Hong Kong, and Switzerland.

As part of the attack, the actor sent library-themed phishing emails containing links to spoofed login pages for resources associated with the targeted universities. Unlike previous campaigns, the messages in the new attacks used a spoofed URL instead of shortened links.

As soon as a recipient clicked on the link, they were taken to a web page similar to the spoofed library resource. After the victims enter their credentials, they are redirected to the next.php file and then to the legitimate website being spoofed, while the credentials are stored locally in the pass.txt file.

The hackers registered at least 20 new domains for the campaign, and used the Freenom domain provider for that.

The domains use valid SSL certificates, likely to make the spoofed pages appear authentic. Most certificates were issued by Let’s Encrypt, but previous campaigns leveraged certificates issued by Comodo.

To spoof login pages, COBALT DICKENS uses publicly available tools that allow them to copy entire pages of targeted university resources. The attackers sometimes would use older copied versions of target websites, Secureworks’ security researchers have discovered.

The metadata in other spoofed web pages suggests that the threat actors are of Iranian origin (an Iran-related timestamp was observed in a page copied on August 3).

To date, the threat actor has been observed targeting at least 380 universities in over 30 countries, with many of them hit multiple times. Despite public disclosure, takedown attempts and law enforcement activity, the actor hasn’t changed operations.

“Some educational institutions have implemented multi-factor authentication (MFA) to specifically address this threat. While implementing additional security controls like MFA could seem burdensome in environments that value user flexibility and innovation, single-password accounts are insecure,” Secureworks notes.

The security researchers also published a list of known domains associated with COBALT DICKENS operations.

Related: Iranian Hackers Target Universities in Large Attack Campaign: SecureWorks

Related: Iran-Linked Malware Shared by USCYBERCOM First Seen in December 2016: Kaspersky

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...