SecureWorks security researchers have discovered that a new, large phishing campaign targeting universities is similar to previous cyber operations by an actor associated with the Iranian government.
The campaign involved the use of sixteen domains that contained more than 300 spoofed websites and login pages for 76 universities in 14 countries, including Australia, Canada, China, Israel, Japan, Switzerland, Turkey, the United Kingdom, and the United States.
Many of the spoofed domains, SecureWorks says, referenced the targeted universities’ online library systems, suggesting that the actors behind the campaign were interested in accessing those resources. Not all domains were accessible during analysis.
Victims who entered their login credentials into the fake login pages were redirected to the legitimate websites. Once there, they were either automatically logged into a valid session or asked for the login credentials again, SecureWorks explains.
Many of the domains were registered between May and August 2018, the most recent of them on August 19. Most of the identified domains resolved to the same IP address and DNS name server.
The attacks share infrastructure with a previously observed campaign associated with the Iran-linked COBALT DICKENS hackers. In March, the United States indicted the Mabna Institute and nine Iranian nationals in connection with the group’s activity between 2013 and 2017.
According to the U.S. Department of Justice, the hackers targeted the accounts of more than 100,000 university professors worldwide and managed to compromise around 8,000 of them. The actors were also said to have stolen 31 terabytes of academic data and intellectual property.
“Many threat groups do not change their tactics despite public disclosures, and analysis suggests that COBALT DICKENS may be responsible for the university targeting despite the indictments of some members,” SecureWorks says.
It is not uncommon for threat actors to target universities when looking to steal intellectual property. Not only are universities more difficult to secure compared to finance or healthcare organizations, but they are also highly attractive because they develop cutting-edge research and can attract global researchers and students, SecureWorks points out.