Iranian Hacking Group Continues Targeting Universities'Cobalt Dickens' Group Attempting to Steal Intellectual Property
A hacking group with suspected ties to Iran is continuing a campaign of targeting dozens of schools and universities with phishing emails to obtain credentials and then attempt to access and steal intellectual property, according to a new analysis by SecureWorks.
In July and August, the hacking group, , which security researchers refer to as both "Cobalt Dickens" and "Secret Librarian," targeted 60 universities and colleges in the U.S., U.K., Australia, Canada, Hong Kong and Switzerland, the report says.
The hackers used logos and other materials copied from legitimate school websites to help craft realistic-looking phishing emails as well as spoofed login pages. These same techniques were also part of a similar campaign in 2018 that researchers from SecureWorks also investigated.
The researchers have identified 380 colleges and universities around the world that the hacking group has targeted over the past two years - some of them more than once, according to the analysis.
In this latest campaign, it’s not clear if Colbalt Dickens successfully stole intellectual property, although some hackers associated with the group have carried out thefts in the past, the report notes.
Colbalt Dickens is continuing its campaign even though at least nine of its alleged members were indicted by the U.S. Justice Department in March 2018 on charges that included computer intrusion, wire fraud and identity theft.
The nine alleged hackers belonged to an organization called the Mabna Institute, which bills itself as a research facility, although prosecutors suspect it has ties to Iran's Islamic Revolutionary Guard Corps, a paramilitary group that's also involved in cyberespionage, according to the indictment.
One if the institute's main goals was to help steal intellectual property, according to the indictment.
Despite the scrutiny from U.S. law enforcement and security researchers, the hacking group has continued to send out phishing emails to potential victims over the last 18 months, says Allison Wikoff, a senior researcher with SecureWorks' Counter Threat Unit.
"We have observed no change in operations since the 2018 incidents, which is what partially makes this activity so remarkable," Wikoff tells Information Security Media Group. "Cobalt Dickens still uses some of the infrastructure associated with the indictment activity."
Phishing Emails and Spoofed Sites
During its campaigns this year and last year, Cobalt Dickens used phishing emails to target victims in order to steal their credentials, researchers say. In most cases, these malicious messages looked like legitimate emails from a school's library services office, the research report notes.
Unlike last year’s campaign, which used shortened links to hide the malicious activity, the incidents this July and August involved emails that contained spoofed URLs that directed the victim to a phony page designed to look like a school's library services, the researchers say.
If the victim entered their credentials, that data was stored locally in servers controlled by for the attackers and the victim was then redirected to the legitimate library website, the SecureWorks researchers say.
In preparation for the campaign in July and August, Cobalt Dickens hackers registered 20 new domains to help spoof the universities' websites. In many cases, the domains contained Secure Sockets Layer certificates to give them a further air of authenticity, SecureWorks found.
In many cases, the SecureWorks researchers say, the Cobalt Dickens group used various free tools from GitHub and other coding repositories to help copy the login pages of these universities and help avoid detection. An analysis of the metadata found the hackers copying older versions of a school's website as part of the spoofing and phishing campaign, the report notes.
The report did not reveal the names of universities that were targeted.
As part of their research, the SecureWorks team was able to identify clues that some of the activities of Cobalt Dickens may be tied to Iran by examining the malicious code. For instance, metadata from the latest campaign contained an Iranian-related time stamp, the report notes.
The team also studied some of the evidence released as part of the 2018 Justice Department indictment, Wikoff tells ISMG.
"The [tactics, techniques and procedures] of the Cobalt Dickens activity covered in 2019 and 2018 research are nearly identical to those disclosed in the March 2018 U.S. Department of Justice indictment of the Mabna Institute," Wikoff says. "This includes infrastructure created, phishing methodologies and victims. Additionally, much of the infrastructure has an Iranian nexus as does the tooling used to setup the spoofed websites."
The Cobalt Dickens attacks aimed at stealing intellectual property are not the first to target universities - especially those involved in cutting-edge research and other projects.
In October 2018, Kaspersky released a report that showed over 130 universities and schools in 16 countries were targeted by phishing emails designed to steal credentials that would give attackers greater access to larger parts of the network. The goal appeared to have been to steal intellectual property and sensitive data. In many cases, spoofed school websites were used to lure victims. The researchers did not tie these campaigns to a specific group.
Security measures such as two-factor authentication can help thwart some of these type of attacks, Wikoff says. But many schools don’t use these tools due to the high rate of student turnover and faculty members' concerns over flexibility and access, she adds.