The Counter Threat Unit (CTU) from UK-based cyber security firm Secureworks published a report stating that 76 universities around the world have been targeted. The attackers, they say, are “linked to the Cobalt Dickens threat group associated with the Iranian government.”
Academic institutions in Australia, Canada, China, Israel, Japan, Switzerland, Turkey, the United Kingdom, and the United States are said to have been attacked. While their investigation is still underway, the CTU has not named the exact universities under attack – but they have confirmed that those targeted include universities listed in the ranks of the Times Higher Education Top 50 list.
According to Secureworks, research into the IP addresses hosting the spoof pages revealed just how far-reaching the mass-scale campaign actually was: 16 web domains contained over 300 spoof websites and login pages for 76 universities in 14 countries.
Researchers discovered that the hacking campaign involved creating fake login pages for each university. After academics entered in their login details and passwords on the spoof pages, victims were then redirected back to the legitimate website, where they were logged into a valid session or were asked to enter their details again; leaving unsuspecting victims unaware that they had just handed over the keys to their university data.
The CTU investigation suggests that the hackers were after research and academic information, with fake domains often referencing the universities’ online libraries.
In March, the US Department of Justice indicted the Mabna Institute and nine Iranians with ties to Cobalt Dickens over activity occurring between 2013 and 2017, leading researchers to believe that the same groups may be behind the mass academic data breach. The indictment alleged that over 31 terabytes of information was stolen from over 140 universities, 30 companies and five government agencies in the USA.
“Many threat groups do not change their tactics despite public disclosures, and CTU analysis suggests that Cobalt Dickens may be responsible for the university targeting despite the indictments of some members,” the statement said.