Iran-linked Cobalt Dickens hacking group targets 60 universities in its latest campaign

• An Iran-linked group named Cobalt Dickens is targeting universities to steal login credentials.
• It is believed that the aim of this phishing campaign, that targets 60 universities across various countries, is intellectual property theft.

The big picture

Secureworks, a cybersecurity firm owned by Dell, has discovered a phishing campaign launched by a hackers group called Cobalt Dickens (also known as Silent Librarian).

• This phishing campaign by the Iran-linked hacking group targets universities to steal intellectual property which can be used for financial gain.
• The operation is similar to the group’s campaign in August 2018 that involved sending library-based emails.

A senior security researcher at Secureworks, Allison Wikoff, told ZDNet, “This campaign is aimed at accessing academic research that can be applied for economic and other benefits, and is a direct response to sanctions and an exodus of academic talent from Iran to countries where they are able to participate in and benefit from open and collaborative academic research.”

How does Cobalt Dickens operate?

The hackers send an email based on library services, that asks the receiver to click on a link to upgrade.

• The previous campaigns contained shortened links to obscure the web address, but this time the campaign has upgraded itself to use spoofed URLs.
• When users click on the link, they are directed to a page that looks identical to the legitimate page.
• Hackers store the login credentials entered by users before redirecting them to the authentic web page.
• To assist with this campaign, hackers have registered at least 20 new domains with valid SSL certificates to make the spoofed pages appear legitimate.

How can universities protect themselves?

Universities seem to be a popular target for such campaigns. This is because of the massive amount of intellectual property and personal data they house without strong security measures.

• Many universities have implemented multi-factor authentication to safeguard themselves from this campaign.
• Researchers recommend that universities restrict access to Cobalt Dickens’ known domains.