American universities have continued to be targeted by suspected Iranian state-sponsored hackers despite previous attacks drawing the attention of the Department of Justice, a cybersecurity firm reported Wednesday.
Secureworks, a subsidiary of Dell Technologies, said that its researchers recently found evidence of dozens of universities in the U.S. and abroad being eyed by Cobalt Dickens, a name given by the firm to a “likely Iranian government-directed threat group.”
Also known as Silent Librarian, the report said that members of the group are among nine Iranians indicted by the Justice Department in March 2018 for allegedly hacking into hundreds of victims, including universities, and stealing academic data and other intellectual property on behalf of the Islamic Revolutionary Guard Corps, a branch of Iran’s military.
Despite its members facing criminal charges in the U.S., the suspected state-sponsored hacking group has hardly abandoned its efforts in recent months, according to the report. Secureworks said the group recently registered at least 20 new website addresses to use in phishing campaigns targeting 60 universities in the U.S., Australia, U.K., Canada, Hong Kong and Switzerland.
The latest campaign is similar to efforts mounted last summer by the same group, Secureworks reported: hackers compromise university resources and then leverage that access to send legitimately looking “library-themed” phishing emails to targets with the aim of stealing their user credentials.
The emails contain links to websites under the hacking group’s control that have been spoofed to resemble the actual login pages for services associated with the targeted universities, Secureworks reported. Recipients who visit the bogus sites and subsequently input their credentials thus provide their passwords to the hacking group, effectively putting their data at risk of being pilfered.
“This campaign is aimed at accessing academic research that can be applied for economic and other benefits, and is a direct response to sanctions and an exodus of academic talent from Iran to countries where they are able to participate in and benefit from open and collaborative academic research,” Allison Wikoff, a senior security researcher at Secureworks, told ZDNet.
Secureworks has released a list of the web addresses associated with the campaign, to “provide broader awareness of the threat group’s campaigns and curtail its activities,” but cautioned that some remain in use and may contain malicious content.
The same campaign has targeted a total of at least 380 universities in over 30 countries since first being discovered, the company reported.
“Many universities have been targeted multiple times. The threat actors have not changed their operations despite law enforcement activity, multiple public disclosures and takedown activity,” Secureworks said in a blog post reporting its findings.
The Justice Department declined to comment
• Andrew Blake can be reached at ablake@washingtontimes.com.
Please read our comment policy before commenting.