Uni credential-swiping hack campaign linked to Iranian government

US infosec biz Secureworks reckons it has uncovered a login credential-hoovering operation linked to Iran that targeted universities across a number of Western nations.

Secureworks' Counter Threat Unit (CTU) found a mass credential-stealing campaign targeting over 70 universities in 14 countries, including Australia, Canada, China, Israel, Japan, Switzerland, Turkey, the UK and US. The company pinned this on a hacker crew it has dubbed Cobalt Dickens, which it alleged is associated with the Iranian government.

Having found a URL pointing to a spoofed login page for a university's website, Secureworks did some IP address-based research and identified a network of 16 domains with more than 300 spoofed websites. Further research into the IP address hosting the spoofed page revealed a broader campaign to steal login credentials.

After entering their credentials into the fake login page, victims were redirected to the legitimate website where they were automatically logged into a valid session, or were prompted to re-enter their details.

"Numerous spoofed domains referenced the targeted universities' online library systems, indicating the threat actors' intent to gain access to these resources," Secureworks said.

"Many of the domains were registered between May and August 2018, with the most recent being registered on August 19. Domain registrations indicate the infrastructure to support this campaign was still being created when CTU researchers discovered the activity."

In March the American Department of Justice charged nine Iranians with carrying out a series of attacks on more than 300 universities and 47 companies. Those individuals were said to have been linked to an Iranian company called the Mabna Institute, which the Americans said at the time was engaged in theft of academic logins and data.

Secureworks said that its Cobalt Dickens group was linked to both the Mabna Institute and the charged Iranians.

Defending one's institution against such attacks is straightforward: implement two-factor authentication and ensure technological security measures are fully up to date with the latest vendors' patches. ®