The rise of Iran-linked COBALT DICKENS threat actor group

• The group came to light in March 2018 following the indictment of the Mabna Institute and nine Iranian associates.
• Its primary target is universities across the world.

A threat actor group associated with the Iranian government made headlines recently for targeting 380 universities in an attempt to steal credentials. This massive campaign was carried out by none other than COBALT DICKENS a.k.a Silent Librarian. The group was found using at least 20 new phishing domains to target universities in Australia, Hong Kong, Switzerland, the United Kingdom, the United States and more.

Origin of the group

The group came to light in March 2018 following the indictment of the Mabna Institute and nine Iranian associates. Secureworks Counter Threat Unit researchers renamed this likely Iranian government-directed group as COBALT DICKENS.

According to the U.S Treasury Department, the Mabna Institute’s target has included 144 US universities and 176 universities in 21 foreign countries since 2013. This had enabled the hackers to exfiltrate 31 terabytes of data - roughly 15 billion pages of academic projects.

Victims till date

Although its primary target is universities across the world, this Iran-linked hacker group is also responsible for targeting the US Department of Labor, the US Federal Energy Regulatory Commission and many private and public organizations.

Similar phishing attack in 2018

Despite the indictment in March 2018, COBALT DICKENS is likely responsible for a large-scale campaign that targeted 76 different universities using more than 16 domains and 300 websites. The purpose of the campaign was to steal intellectual property and benefit financially.

The attackers leveraged the URL spoofing attack to redirect victims to phony webpages that looked similar to websites created by universities. This tricked the victims into entering their usernames and passwords. The impacted universities spanned across the U.S, Canada, the U.K. Turkey, Australia, China, Japan, Israel, and Switzerland.

Telltale sign

COBALT DICKENS uses publicly available tools, including the SingleFile plugin on GitHub and the free HTTrack Website Copier standalone application to copy the login pages of targeted university resources.

Precautions suggested

With URL spoofing attacks going rampant, organizations should spot the red flags to identify spoofed URLs.

• It is safe to open links that include HTTPs certificate.
• Use a link checker, if unsure of the link.
• Keep the browsers up-to-date to address such attacks.