On the heels of Iran driving a disinformation campaign on Facebook, researchers have discovered a spoofed university login page that appears to be part of a larger credentials theft campaign believed to be the work of COBALT DICKENS, a threat group associate with the Iranian government.
According to the Counter Threat Unit (CTU) research team at Secureworks, 16 domains contained more than 300 spoofed websites and 76 university login pages across 14 countries, including Australia, Canada, China, Israel, Japan, Switzerland, Turkey, the United Kingdom, and the United States.
Unsuspecting victims who entered their login credentials to the spoofed pages were then redirected. Once on the legitimate website, users were either automatically logged into a valid session or asked to re-enter their credentials. "Numerous spoofed domains referenced the targeted universities' online library systems, indicating the threat actors' intent to gain access to these resources,” researchers wrote.
On 23 March 2018, the Department of Justice issued indictment charges against nine Iranians alleged to be associated with the Iran-based company, Mabna Institute, that reportedly conducted cyber-intrusion campaigns into the computer systems of universities around the globe between 2013 and 2017.
“These nine Iranian nationals allegedly stole more than 31 terabytes of documents and data from more than 140 American universities, 30 American companies, five American government agencies, and also more than 176 universities in 21 foreign countries,” said Deputy Attorney General Rod Rosenstein.
Despite indictments in March 2018, the Iranian threat group is believed to still be targeting global universities to compromise credentials through the same spoofing tactics as previous attacks.
“Universities are attractive targets for threat actors interested in obtaining intellectual property. In addition to being more difficult to secure than heavily regulated finance or healthcare organizations, universities are known to develop cutting-edge research and can attract global researchers and students. CTU researchers have contacted various global partners to address this threat,” researchers wrote.