Security Experts:

Connect with us

Hi, what are you looking for?



Iranian Hackers Target Universities in Large Attack Campaign: SecureWorks

SecureWorks security researchers have discovered that a new, large phishing campaign targeting universities is similar to previous cyber operations by an actor associated with the Iranian government.

SecureWorks security researchers have discovered that a new, large phishing campaign targeting universities is similar to previous cyber operations by an actor associated with the Iranian government.

The campaign involved the use of sixteen domains that contained more than 300 spoofed websites and login pages for 76 universities in 14 countries, including Australia, Canada, China, Israel, Japan, Switzerland, Turkey, the United Kingdom, and the United States.

Many of the spoofed domains, SecureWorks says, referenced the targeted universities’ online library systems, suggesting that the actors behind the campaign were interested in accessing those resources. Not all domains were accessible during analysis.

Victims who entered their login credentials into the fake login pages were redirected to the legitimate websites. Once there, they were either automatically logged into a valid session or asked for the login credentials again, SecureWorks explains.

Many of the domains were registered between May and August 2018, the most recent of them on August 19. Most of the identified domains resolved to the same IP address and DNS name server.

The attacks share infrastructure with a previously observed campaign associated with the Iran-linked COBALT DICKENS hackers. In March, the United States indicted the Mabna Institute and nine Iranian nationals in connection with the group’s activity between 2013 and 2017.

According to the U.S. Department of Justice, the hackers targeted the accounts of more than 100,000 university professors worldwide and managed to compromise around 8,000 of them. The actors were also said to have stolen 31 terabytes of academic data and intellectual property.

“Many threat groups do not change their tactics despite public disclosures, and analysis suggests that COBALT DICKENS may be responsible for the university targeting despite the indictments of some members,” SecureWorks says.

It is not uncommon for threat actors to target universities when looking to steal intellectual property. Not only are universities more difficult to secure compared to finance or healthcare organizations, but they are also highly attractive because they develop cutting-edge research and can attract global researchers and students, SecureWorks points out.

Related: U.S. Imposes Sanctions on Iranians for Hacking

Related: Six Months in Jail for University Email Hacker

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...