Iran-Linked Hacking Group Targets 60 Universities Around the World

Iran-linked hacking group is backed by Iran’s Revolutionary Guards (IRGC)
As of September 2019, IRGC-linked hackers have targeted at least 380 universities in over 30 countries
Iran-linked hacking group is backed by Iran’s Revolutionary Guards (IRGC)

By Armin Baldwin

The Colbalt Dickens, an Iranian state-sponsored hacking group, attacked more than 60 universities in the US, the UK, Australia. These attacks are attempting to steal research and intellectual property.

The Iranian hacking operation involved a global phishing campaign that attempts to steal usernames and passwords from the targets, which includes universities from 14 countries.

The hacking group is backed by Iran’s Revolutionary Guards (IRGC).

Secureworks, a cybersecurity firm owned by Dell, has discovered the phishing campaign launched by the Iran-linked hacking group and published details about the attacks, which took place in July and August.

“This campaign is evaluated at ranging academic research that can be applied for economic and other benefits, and is an order response to US sanctions and an exodus of academic talent from Iran to countries where they are able to pool in and benefit from open and collaborative academic research,” Allison Wikoff, senior security researcher at Secureworks told ZDNet.

Nine members of the hacking group have been indicted by the US Department of Justice for conducting cyber-theft campaigns on behalf of the IRGC. But Secureworks’ findings show the hacking group’s operations continue.

The operation is similar to the group’s campaign in August 2018 that included sending library-based emails.

What is the cobalt dickens and how does it operate?

The hackers send an email on library services, so they ask the receiver to click on a link to upgrade.

The phishing emails are based around online library services, like previous attacks by the group. When recipients click on the link, they will be transferred to a website that siphons their credentials. While previous campaigns used a URL shortener to obscure the web address of the spoofed library login page, this time the attackers are using a spoofed URL that appears to be genuine.

Those who click on the link are conducted to a web page that looks very similar – or even identical – to the library resource of that university and are asked to enter their login credentials, an act which supplies their username and password to the attackers. To shun arousing suspicion, the user is directed to the legitimate version of the site being spoofed after their details are entered.

To help run this latest campaign, The Cobalt Dickens registered at least 20 new domains, complete with valid SSL certificates on .ml, .ga, .cf, .gq, and .tk domains – all of the malicious domains have been detailed in the full write-up of the attacks.

This group also employs publicly available tools and code taken from GitHub to help conduct the attacks in a way that allows them to avoid using malware, so they can hide from cybersecurity software and endpoint protection tools.

As of September 2019, IRGC-linked hackers have targeted at least 380 universities in over 30 countries, and some have been targeted multiple times. It’s believed the attacks targeting faculty and students will continue.