Iran-linked Cobalt Dickens APT group carried out a spear-phishing campaign aimed at tens of universities worldwide.

Researchers at Secureworks’ Counter Threat Unit (CTU) uncovered a phishing campaign carried out by the Iran-linked Cobalt Dickens APT group (also known as Silent Librarian) that targeted more than 60 universities four continents in July and August.

According to the experts, the attacks are part of a large campaign that hit at least 380 universities in more than 30 countries, in many cases the organizations have been hit multiple times.

“In July and August 2019, CTU researchers discovered a new large global phishing operation launched by COBALT DICKENS. This operation is similar to the threat group’s August 2018 campaign, using compromised university resources to send library-themed phishing emails.” reads the analysis published by Secureworks. “The messages contain links to spoofed login pages for resources associated with the targeted universities. Unlike previous campaigns that contained shortened links to obscure the attackers’ infrastructure, these messages contain the spoofed URL”

The universities hit by the hackers are in Australia, Canada, Hong Kong, the U.S., the U.K., and Switzerland. The experts have noticed that the APT group is using free online services as part of their operations, including certificates issued by the Let’s Encrypt C A , domains, and publicly available tools.

The hackers registered at least 20 new domain names through the Freenom domain provider that offers free top-level domain names.

The hackers appear to be interested in getting access to the library, they sent phishing messages to people with access to the library of the targeted university. As usual, the messages urge the victims to do some specific actions, in this case, the attackers invite the victim to reactivate the account by following a spoofed link.

Unlike previous campaigns attributed at this APT group, this time the hackers used a spoofed link instead of relying on shortened URLs pointing to the fake login page.

The landing page appears to be identical or quite similar to the spoofed library resource.

Once the victims have provided their credentials, they are stored in a file named ‘pass.txt’ and the users are redirected to the genuine university website to avoid to raise suspicion.

“Metadata in other spoofed web pages supports the assessment that the threat actors are of Iranian origin. Specifically, a page copied on August 3 reveals an Iranian-related timestamp.” continues the report.

In August 2018, researchers at SecureWorks discovered another large phishing campaign targeting universities that was carried out by COBALT DICKENS.

Iranian hacking activity is intensifying in the last years, security firms uncovered the operations of many Iran-linked APT groups.

The US Department of Justice and Department of the Treasury in March 2018 announced charges against nine Iranians for alleged involvement in a massive state-sponsored hacking scheme, at the time the hackers hit more than 300 universities and tens of companies in the US and abroad and stole “valuable intellectual property and data.”

According to the Treasury Department, since 2013, the Mabna Institute hit 144 US universities and 176 universities in 21 foreign countries.

Geoffrey Berman, US Attorney for the Southern District of New York revealed that the spear phishing campaign targeted more than 100,000 university professors worldwide and about 8,000 accounts were compromised.

The Iranian hackers exfiltrated 31 terabytes, roughly 15 billion pages of academic projects were stolen.

The hackers also targeted the US Department of Labor, the US Federal Energy Regulatory Commission, and many private and non-governmental organizations.

The sanctions also hit the Mabna Institute, an Iran-based company, that had a critical role in coordinating the attacks on behalf of Iran’s Revolutionary Guards.

Pierluigi Paganini

(SecurityAffairs – Cobalt Dickens, Iran APT)

Share this...

Linkedin Reddit Pinterest

Share On