Jrgen Flchle - Fotolia
Cyber intellectual property thieves have targeted more than 70 universities in the UK and 13 other countries, according to the Secureworks Counter Threat Unit (CTU).
The campaign is believed to have been aimed at stealing research by the targeted universities and has been linked to the Cobalt Dickens threat group associated with the Iranian government.
Researchers at Secureworks uncovered the campaign when they discovered a webpage spoofing a login page for a university. Further research into the IP address hosting the spoofed web page revealed a broader campaign to steal credentials.
Some 16 domains contained over 300 spoofed websites and login pages for 76 universities located in the UK and 13 other countries, including the US, Canada, China, Israel, Switzerland, Australia and Japan.
After entering their credentials into the fake login page, victims were redirected to the legitimate website where they were automatically logged into a valid session or were prompted to re-enter their credentials.
Numerous spoofed domains referenced the targeted universities’ online library systems, indicating the threat actors’ intent to gain access to these resources.
The researchers were unable to confirm functionality of all identified spoofed pages because some of the domains were not accessible at the time of analysis.
Read more about cyber espionage
- A US government report on cyber espionage by China, Russia and Iran says software supply chains are increasingly under attack.
- Finnish research and development, as well as critical infrastructure, are being targeted by state-backed cyber espionage attacks, says report.
- A Russian cyber espionage group is targeting hotel Wi-Fi networks to carry out malware infections and potentially steal credentials, researchers warn.
Many of the domains were registered between May and August 2018, with the most recent being registered on 19 August. Domain registrations indicate the infrastructure to support this campaign was still being created when CTU researchers discovered the activity.
Most of the domains observed in this campaign resolved to the same IP address and DNS name server. A domain registered in May 2018 also contained subdomains spoofing university targets. These subdomains redirected visitors to spoofed login pages on other attacker-controlled domains.
The targeting of online academic resources is similar to previous cyber operations by the Iranian cyber attack group. In those operations, which also shared infrastructure with the August attacks, the Cobalt Dickens group created lookalike domains to phish targets and used credentials to steal intellectual property from specific resources, including library systems.
Many threat groups do not change their tactics despite public disclosures, and CTU analysis suggests that Cobalt Dickens is likely to be responsible for the latest university targeting despite the indictments against some of its members.
Universities attractive targets
Universities are attractive targets for threat actors interested in obtaining intellectual property. In addition to being more difficult to secure than heavily regulated finance or healthcare organisations, universities are known to develop cutting-edge research.
The CTU researchers have contacted various global partners to address this threat. They believe this widespread spoofing of login pages to steal credentials reinforces the need for organisations to incorporate multifactor authentication using secure protocols and implement complex password requirements on publicly accessible systems.
CTU researchers recommend that organisations implement training programs to educate users about security threats, including guidance for recognising and reporting suspicious emails.