Story image

Iranian govt hackers phishing universities worldwide – Secureworks

31 Aug 2018

Earlier this month, the Secureworks Counter Threat Unit (CTU) discovered a URL which was spoofing a login page for a university.

After further research into the IP address hosting the spoofed page, it was revealed a broader campaign to steal student and faculty members credentials was actually in place.

The team found sixteen domains which contained over 300 spoofed websites and login pages for 76 universities located in 14 countries, including China, Japan, Switzerland, US, Turkey, and Australia.

Numerous spoofed domains referenced the targeted universities’ online library systems, which indicates the threat actors’ were intent on gaining access to these resources. 

Many of the domains were registered between May and August 2018, with the most recent being registered on August 19.

Domain registrations indicate the infrastructure to support this campaign was still being created when CTU researchers discovered the activity.

The targeting of online academic resources is similar to previous cyber operations by COBALT DICKENS, a threat group associated with the Iranian government.

In those operations, which also shared infrastructure with the August attacks, the threat group created lookalike domains to phish targets and used credentials to steal intellectual property from specific resources, including library systems.

SecurityBrief spoke to Securework senior security researcher Alex Tilley to get a more in depth look at the attacks.

Why are universities attractive targets for threat actors?

We suspect universities may be of interest to nation-state threat actors due to the often unquantifiable value associated with research that students and professors are completing. The ability to steal such knowledge in order to advance the skillset and intellectual abilities of an attacking nation can be appealing.

Academic research takes significant investment in time, effort and funding, making them an attractive target.

How did COBALT DICKENS target universities in different countries and steal their credentials?

As far as we can tell, the same method of phishing was used across all of the universities targeted.

For this attack, the universities network, primarily students and professors’ library credentials were used to gain access to the system. 

How can universities prevent these attacks from happening in the future?

Implementing access controls such as two-factor authentication would have limited this specific attack.

In this instance, the phishers were only seeking usernames and passwords, which wouldn’t be of value without the authentication code.

When possible, tight access restrictions to specific research and data stores should be applied in order to prevent that broad targeting of students and staff.

By putting in access rules people, including threat actors won’t be able to access large amounts of data.

What are other types of organisations susceptible to these types of attacks?

All organisations are vulnerable to phishing attacks and data theft.

Some verticals invest heavily in two-factor authentication and account behavioural analytics to pick up when accounts are acting “outside the norm” as well as tight security controls. These controls can be expensive and take the effort to implement and are often tied to the value given to data or funds to be protected.

How did the CTU team identify COBALT DICKENS?

A tip from a client gave us the first URL and our analysis progressed from there until we mapped what we believe is most of the attack infrastructure as it was being set up by the attackers.

We were fortunate in the sense that we were able to catch the attackers while they were rolling this campaign out rather than after they had completed it.

SecOps: Clear opportunities for powerful collaboration
If there’s one thing security and IT ops professionals should do this year, the words ‘team up’ should be top priority.
Interview: Culture and cloud - the battle for cybersecurity
ESET CTO Juraj Malcho talks about the importance of culture in a cybersecurity strategy and the challenges and benefits of a world in the cloud.
Enterprise cloud deployments being exploited by cybercriminals
A new report has revealed a concerning number of enterprises still believe security is the responsibility of the cloud service provider.
Ping Identity Platform updated with new CX and IT automation
The new versions improve the user and administrative experience, while also aiming to meet enterprise needs to operate quickly and purposefully.
Venafi and nCipher Security partner on machine identity protection
Cryptographic keys serve as machine identities and are the foundation of enterprise information technology systems.
Machine learning is a tool and the bad guys are using it
KPMG NZ’s CIO and ESET’s CTO spoke at a recent cybersecurity conference about how machine learning and data analytics are not to be feared, but used.
Seagate: Data trends, opportunities, and challenges at the edge
The development of edge technology and the rise of big data have brought many opportunities for data infrastructure companies to the fore.
Popular Android apps track users and violate Google's policies
Google has reportedly taken action against some of the violators.