Story image

Iranian govt hackers phishing universities worldwide – Secureworks

31 Aug 2018

Earlier this month, the Secureworks Counter Threat Unit (CTU) discovered a URL which was spoofing a login page for a university.

After further research into the IP address hosting the spoofed page, it was revealed a broader campaign to steal student and faculty members credentials was actually in place.

The team found sixteen domains which contained over 300 spoofed websites and login pages for 76 universities located in 14 countries, including China, Japan, Switzerland, US, Turkey, and Australia.

Numerous spoofed domains referenced the targeted universities’ online library systems, which indicates the threat actors’ were intent on gaining access to these resources. 

Many of the domains were registered between May and August 2018, with the most recent being registered on August 19.

Domain registrations indicate the infrastructure to support this campaign was still being created when CTU researchers discovered the activity.

The targeting of online academic resources is similar to previous cyber operations by COBALT DICKENS, a threat group associated with the Iranian government.

In those operations, which also shared infrastructure with the August attacks, the threat group created lookalike domains to phish targets and used credentials to steal intellectual property from specific resources, including library systems.

SecurityBrief spoke to Securework senior security researcher Alex Tilley to get a more in depth look at the attacks.

Why are universities attractive targets for threat actors?

We suspect universities may be of interest to nation-state threat actors due to the often unquantifiable value associated with research that students and professors are completing. The ability to steal such knowledge in order to advance the skillset and intellectual abilities of an attacking nation can be appealing.

Academic research takes significant investment in time, effort and funding, making them an attractive target.

How did COBALT DICKENS target universities in different countries and steal their credentials?

As far as we can tell, the same method of phishing was used across all of the universities targeted.

For this attack, the universities network, primarily students and professors’ library credentials were used to gain access to the system. 

How can universities prevent these attacks from happening in the future?

Implementing access controls such as two-factor authentication would have limited this specific attack.

In this instance, the phishers were only seeking usernames and passwords, which wouldn’t be of value without the authentication code.

When possible, tight access restrictions to specific research and data stores should be applied in order to prevent that broad targeting of students and staff.

By putting in access rules people, including threat actors won’t be able to access large amounts of data.

What are other types of organisations susceptible to these types of attacks?

All organisations are vulnerable to phishing attacks and data theft.

Some verticals invest heavily in two-factor authentication and account behavioural analytics to pick up when accounts are acting “outside the norm” as well as tight security controls. These controls can be expensive and take the effort to implement and are often tied to the value given to data or funds to be protected.

How did the CTU team identify COBALT DICKENS?

A tip from a client gave us the first URL and our analysis progressed from there until we mapped what we believe is most of the attack infrastructure as it was being set up by the attackers.

We were fortunate in the sense that we were able to catch the attackers while they were rolling this campaign out rather than after they had completed it.

Oracle updates enterprise blockchain platform
Oracle’s enterprise blockchain has been updated to include more capabilities to enhance development, integration, and deployment of customers’ new blockchain applications.
Used device market held back by lack of data security regulations
Mobile device users are sceptical about trading in their old device because they are concerned that data on those devices may be accessed or compromised after they hand it over.
Gartner names ExtraHop leader in network performance monitoring
ExtraHop provides enterprise cyber analytics that deliver security and performance from the inside out.
Symantec acquires zero trust innovator Luminate Security
Luminate’s Secure Access Cloud is supposedly natively constructed for a cloud-oriented, perimeter-less world.
Palo Alto releases new, feature-rich firewall
Palo Alto is calling it the ‘fastest-ever next-generation firewall’ with integrated cloud-based DNS Security service to stop attacks.
Facebook fights fake news ahead of Africa elections
“We also show related articles from fact-checkers for more context and notify users if a story they have shared is rated as false.”
The right to be forgotten online could soon be forgotten
Despite bolstering free speech and access to information, the internet can be a double-edged sword, because that access to information goes both ways.
Opinion: 4 Ransomware trends to watch in 2019
Recorded Future's Allan Liska looks at the past big ransomware attacks thus far to predict what's coming this year.