Story image

Iranian govt hackers phishing universities worldwide – Secureworks

31 Aug 18

Earlier this month, the Secureworks Counter Threat Unit (CTU) discovered a URL which was spoofing a login page for a university.

After further research into the IP address hosting the spoofed page, it was revealed a broader campaign to steal student and faculty members credentials was actually in place.

The team found sixteen domains which contained over 300 spoofed websites and login pages for 76 universities located in 14 countries, including China, Japan, Switzerland, US, Turkey, and Australia.

Numerous spoofed domains referenced the targeted universities’ online library systems, which indicates the threat actors’ were intent on gaining access to these resources. 

Many of the domains were registered between May and August 2018, with the most recent being registered on August 19.

Domain registrations indicate the infrastructure to support this campaign was still being created when CTU researchers discovered the activity.

The targeting of online academic resources is similar to previous cyber operations by COBALT DICKENS, a threat group associated with the Iranian government.

In those operations, which also shared infrastructure with the August attacks, the threat group created lookalike domains to phish targets and used credentials to steal intellectual property from specific resources, including library systems.

SecurityBrief spoke to Securework senior security researcher Alex Tilley to get a more in depth look at the attacks.

Why are universities attractive targets for threat actors?

We suspect universities may be of interest to nation-state threat actors due to the often unquantifiable value associated with research that students and professors are completing. The ability to steal such knowledge in order to advance the skillset and intellectual abilities of an attacking nation can be appealing.

Academic research takes significant investment in time, effort and funding, making them an attractive target.

How did COBALT DICKENS target universities in different countries and steal their credentials?

As far as we can tell, the same method of phishing was used across all of the universities targeted.

For this attack, the universities network, primarily students and professors’ library credentials were used to gain access to the system. 

How can universities prevent these attacks from happening in the future?

Implementing access controls such as two-factor authentication would have limited this specific attack.

In this instance, the phishers were only seeking usernames and passwords, which wouldn’t be of value without the authentication code.

When possible, tight access restrictions to specific research and data stores should be applied in order to prevent that broad targeting of students and staff.

By putting in access rules people, including threat actors won’t be able to access large amounts of data.

What are other types of organisations susceptible to these types of attacks?

All organisations are vulnerable to phishing attacks and data theft.

Some verticals invest heavily in two-factor authentication and account behavioural analytics to pick up when accounts are acting “outside the norm” as well as tight security controls. These controls can be expensive and take the effort to implement and are often tied to the value given to data or funds to be protected.

How did the CTU team identify COBALT DICKENS?

A tip from a client gave us the first URL and our analysis progressed from there until we mapped what we believe is most of the attack infrastructure as it was being set up by the attackers.

We were fortunate in the sense that we were able to catch the attackers while they were rolling this campaign out rather than after they had completed it.

AlgoSec delivers native security management for Azure Firewall
AlgoSec’s new solution will allow a central management capability for Azure Firewall, Microsoft's new cloud-native firewall-as-a-service.
How to configure your firewall for maximum effectiveness
ManageEngine offers some firewall best practices that can help security admins handle the conundrum of speed vs security.
Exclusive: Why botnets will swarm IoT devices
“What if these nodes were able to make autonomous decisions with minimal supervision, use their collective intelligence to solve problems?”
Why you should leverage a next-gen firewall platform
Through full lifecycle-based threat detection and prevention, organisations are able to manage the entire threat lifecycle without adding additional solutions.
The quid pro quo in the IoT age
Consumer consciousness around data privacy, security and stewardship has increased tenfold in recent years, forcing businesses to make customer privacy a business imperative.
ForeScout acquires OT security company SecurityMatters for US$113mil
Recent cyberattacks, such as WannaCry, NotPetya and Triton, demonstrated how vulnerable OT networks can result in significant business disruption and financial loss.
'DerpTrolling’ faces jail time for Sony DoS attacks
A United States federal court has charged a 23-year-old man for the hacks on Sony Online Entertainment and other major companies back in 2014.
Dropbox strengthens security with raft of new partnerships
Integrations will keep customer content protected and secure with tools for controlling identity access, governing data, and managing devices.