Virtual Event Today: Cloud & Data Security Summit - Join Event In-Progress
Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

Iranian Hackers Target Universities in Large Attack Campaign: SecureWorks

SecureWorks security researchers have discovered that a new, large phishing campaign targeting universities is similar to previous cyber operations by an actor associated with the Iranian government.

SecureWorks security researchers have discovered that a new, large phishing campaign targeting universities is similar to previous cyber operations by an actor associated with the Iranian government.

The campaign involved the use of sixteen domains that contained more than 300 spoofed websites and login pages for 76 universities in 14 countries, including Australia, Canada, China, Israel, Japan, Switzerland, Turkey, the United Kingdom, and the United States.

Many of the spoofed domains, SecureWorks says, referenced the targeted universities’ online library systems, suggesting that the actors behind the campaign were interested in accessing those resources. Not all domains were accessible during analysis.

Victims who entered their login credentials into the fake login pages were redirected to the legitimate websites. Once there, they were either automatically logged into a valid session or asked for the login credentials again, SecureWorks explains.

Many of the domains were registered between May and August 2018, the most recent of them on August 19. Most of the identified domains resolved to the same IP address and DNS name server.

The attacks share infrastructure with a previously observed campaign associated with the Iran-linked COBALT DICKENS hackers. In March, the United States indicted the Mabna Institute and nine Iranian nationals in connection with the group’s activity between 2013 and 2017.

Advertisement. Scroll to continue reading.

According to the U.S. Department of Justice, the hackers targeted the accounts of more than 100,000 university professors worldwide and managed to compromise around 8,000 of them. The actors were also said to have stolen 31 terabytes of academic data and intellectual property.

“Many threat groups do not change their tactics despite public disclosures, and analysis suggests that COBALT DICKENS may be responsible for the university targeting despite the indictments of some members,” SecureWorks says.

It is not uncommon for threat actors to target universities when looking to steal intellectual property. Not only are universities more difficult to secure compared to finance or healthcare organizations, but they are also highly attractive because they develop cutting-edge research and can attract global researchers and students, SecureWorks points out.

Related: U.S. Imposes Sanctions on Iranians for Hacking

Related: Six Months in Jail for University Email Hacker

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing for the latest cybersecurity threats, trends, and expert insights.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this live webinar as we break down why email-layer defenses alone can't keep pace with the modern phishing ecosystem, how agentic AI is changing the capacity equation for security teams, and more.

Register

This year's summit will help organizations learn how to utilize tools, controls, and design models needed to properly secure cloud environments. Interact with leading solution providers and other end users facing similar challenges in securing a variety of cloud deployments.

Register

People on the Move

Jazz has named Sean Robinson, Rickie Goyal, Danielle Guetta, Shani Nago, and Lior Magram as VPs and Michael Calev as COO.

AJ Shipley has been appointed Chief Product Officer at CrowdStrike.

Brinqa has named Ron Dovich as Chief AI and Automation Officer, David Allen as CTO, Steve Biagioni as CFO, and James Walta as VP of Product.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.