UK universities targeted by Iranian hackers

Cyber intellectual property thieves have targeted more than 70 universities in the UK and 13 other countries, according to the Secureworks Counter Threat Unit (CTU).

The campaign is believed to have been aimed at stealing research by the targeted universities and has been linked to the Cobalt Dickens threat group associated with the Iranian government.

Researchers at Secureworks uncovered the campaign when they discovered a webpage spoofing a login page for a university. Further research into the IP address hosting the spoofed web page revealed a broader campaign to steal credentials.

Some 16 domains contained over 300 spoofed websites and login pages for 76 universities located in the UK and 13 other countries, including the US, Canada, China, Israel, Switzerland, Australia and Japan.

After entering their credentials into the fake login page, victims were redirected to the legitimate website where they were automatically logged into a valid session or were prompted to re-enter their credentials.

Numerous spoofed domains referenced the targeted universities’ online library systems, indicating the threat actors’ intent to gain access to these resources.

The researchers were unable to confirm functionality of all identified spoofed pages because some of the domains were not accessible at the time of analysis.

Many of the domains were registered between May and August 2018, with the most recent being registered on 19 August. Domain registrations indicate the infrastructure to support this campaign was still being created when CTU researchers discovered the activity.

Most of the domains observed in this campaign resolved to the same IP address and DNS name server. A domain registered in May 2018 also contained subdomains spoofing university targets. These subdomains redirected visitors to spoofed login pages on other attacker-controlled domains.

The targeting of online academic resources is similar to previous cyber operations by the Iranian cyber attack group. In those operations, which also shared infrastructure with the August attacks, the Cobalt Dickens group created lookalike domains to phish targets and used credentials to steal intellectual property from specific resources, including library systems.

In March 2018, the US Department of Justice indicted the Mabna Institute and nine Iranian nationals in connection with the threat group’s activity between 2013 and 2017.

Many threat groups do not change their tactics despite public disclosures, and CTU analysis suggests that Cobalt Dickens is likely to be responsible for the latest university targeting despite the indictments against some of its members.