U.S. cyber security company SecureWorks, a subsidiary of Dell Technologies, has issued a report claiming that a previously identified Iranian hacker group called COBALT DICKENS is likely behind numerous fake university websites that target legitimate users in order to provide the Iranian government access to university library holdings.
According to SecureWorks researchers at its Counter Threat Unit (CTU), hackers from COBALT DICKENS created fake university library login pages that would record legitimate user’s login and password details. Once a user has entered his or her credentials, the fake site would redirect them to the actual university library login page where the user – and COBALT DICKENS hackers – would renter the credentials and enter the online library system and its contents.
SecureWorks CTU researchers claim that universities in Australia, Canada, China, Israel, Japan, Switzerland, Turkey, the United Kingdom, and the United States – among other countries – were targeted by COBALT DICKENS, with the most recent fake university library login page website created on 19 August 2018.
“Universities are attractive targets for threat actors interested in obtaining intellectual property. In addition to being more difficult to secure than heavily regulated finance or healthcare organizations, universities are known to develop cutting-edge research and can attract global researchers and students,” the report’s authors write.
According to SecureWorks, this is not the first time that COBALT DICKENS has been involved in this kind of activity.
“The targeting of online academic resources is similar to previous cyber operations by COBALT DICKENS, a threat group associated with the Iranian government. In those operations, which also shared infrastructure with the August attacks, the threat group created lookalike domains to phish targets and used credentials to steal intellectual property from specific resources, including library systems,” the CTU researchers write.
The activities of the COBALT DICKENS hackers has already been brought to the attention of the U.S. Department of Justice. In March of 2018 the U.S. government indicted an Iranian organisation called the Mabna Institute, and nine Iranian citizens believed to be a part of the COBALT DICKENS group for phishing and other social engineering activities against U.S. targets between 2013 and 2017.
Despite exposure of COBALT DICKENS methods and the indictment by the U.S. government, CTU researchers note that this has not stopped the hacker group from using the same tactics and tools for targeting its latest round of victims.