The Secureworks Counter Threat Unit (CTU) said on Friday that the campaign is likely the work of who they call Cobalt Dickens, an Iranian advanced persistent threat (APT) group.
The researchers have connected Cobalt Dickens to the Iranian government and in March nine apparent members of the group were indicted for conducting a series of attacks on universities and companies on behalf of the Islamic Republic of Iran’s Islamic Revolutionary Guard Corps (IRGC).
The Mabna Institute, working as part of Cobalt Dickens, allegedly stole information from 76 universities across 21 countries, as well as 47 US and foreign private sector companies, including the US Department of Labor and the United Nations.
In the latest wave of attacks, a total of 76 universities in 14 countries have been targeted including institutions in the United Kingdom, the United States, Canada, China, and Switzerland.
After discovering a spoof website which masqueraded as one of the target universities, CTU uncovered a wider campaign designed to steal credentials from academic staff.
In total, 16 domains have been used by the threat actors to host over 300 spoofed websites, including university login pages and online libraries.
Targets are sent links to the fraudulent domains through phishing emails. If victims fall for the messages and enter their credentials into the spoofed pages, they are then sent onwards to the real service while this information is saved by the cyberattackers to gain access to legitimate systems.
“Numerous spoofed domains referenced the targeted universities’ online library systems, indicating the threat actors’ intent to gain access to these resources,” CTU says.
The majority of the domains were registered between May and August 2018. The campaign appears to be ongoing, as the latest domain registration took place on August 19.
Universities are a constant target for cyberattackers due to heavy involvement in academia and research projects. Intellectual property can be extremely valuable, especially when research is involved in areas such as technology and defense.
The research team has contacted global partners to warn them of the latest phishing scheme.
“This widespread spoofing of login pages to steal credentials reinforces the need for organizations to incorporate multi-factor authentication using secure protocols and implement complex password requirements on publicly accessible systems,” the researchers said.