Iranian hacker group Cobalt Dickens targets 76 universities across 14 countries

  • The massive phishing campaign is aimed at stealing login credentials.
  • Universities in the UK, US, Canada, Australia, China, Israel and Switzerland, among others, were targeted by the hackers.

A new massive phishing campaign has been discovered targeting dozens of universities across the globe. The phishing campaign is the work of the Iranian hacker group Cobalt Dickens and is aimed at stealing login credentials.

The Cobalt Dickens hackers operated 16 domains that contained over 300 spoofed websites and login pages of over 76 universities across 14 different countries. The campaign targeted universities in the UK, US, Canada, Australia, China, Israel and Switzerland, among others.

Modus operandi

According to security experts at Secureworks, who uncovered the new campaign, many of the malicious domains were registered between May and August 2018. The most recent domain registrations took place on August 19. Secureworks researchers suspect that the campaign’s infrastructure was still under construction when they stumbled upon it.

When victims click on the fake login pages created by the Cobalt Dickens hackers, they are redirected to another spoofed, legitimate-looking website where they were persuaded to enter in their credentials.

“Numerous spoofed domains referenced the targeted universities' online library systems, indicating the threat actors' intent to gain access to these resources,” Secureworks researchers wrote in a blog.

Cobalt Dickens

According to the researchers, this is not the first time that the hackers have targeted universities. Cobalt Dickens is linked to the Iranian government. The new campaign shared the same infrastructure as the hacker group’s previous campaigns. In the previous campaigns, Cobalt Dickens used stolen credentials to steal intellectual property, including library systems.

The new campaign comes after the US government, in March 2018, indicted the Mabna Institute and nine Iranian nationals in connection with the Cobalt Dickens’ activities between the 2013 and 2017.

“Many threat groups do not change their tactics despite public disclosures, and CTU analysis suggests that COBALT DICKENS may be responsible for the university targeting despite the indictments of some members,” Secureworks researchers added. “Universities are attractive targets for threat actors interested in obtaining intellectual property. In addition to being more difficult to secure than heavily regulated finance or healthcare organizations, universities are known to develop cutting-edge research and can attract global researchers and students.”