Earlier this month, the Secureworks Counter Threat Unit (CTU) discovered a URL which was spoofing a login page for a university.
After further research into the IP address hosting the spoofed page, it was revealed a broader campaign to steal student and faculty members credentials was actually in place.
The team found sixteen domains which contained over 300 spoofed websites and login pages for 76 universities located in 14 countries, including China, Japan, Switzerland, US, Turkey, and Australia.
Numerous spoofed domains referenced the targeted universities’ online library systems, which indicates the threat actors’ were intent on gaining access to these resources.
Many of the domains were registered between May and August 2018, with the most recent being registered on August 19.
Domain registrations indicate the infrastructure to support this campaign was still being created when CTU researchers discovered the activity.
The targeting of online academic resources is similar to previous cyber operations by COBALT DICKENS, a threat group associated with the Iranian government.
In those operations, which also shared infrastructure with the August attacks, the threat group created lookalike domains to phish targets and used credentials to steal intellectual property from specific resources, including library systems.
SecurityBrief spoke to Securework senior security researcher Alex Tilley to get a more in depth look at the attacks.
We suspect universities may be of interest to nation-state threat actors due to the often unquantifiable value associated with research that students and professors are completing. The ability to steal such knowledge in order to advance the skillset and intellectual abilities of an attacking nation can be appealing.
Academic research takes significant investment in time, effort and funding, making them an attractive target.
How did COBALT DICKENS target universities in different countries and steal their credentials?
As far as we can tell, the same method of phishing was used across all of the universities targeted.
For this attack, the universities network, primarily students and professors’ library credentials were used to gain access to the system.
Implementing access controls such as two-factor authentication would have limited this specific attack.
In this instance, the phishers were only seeking usernames and passwords, which wouldn’t be of value without the authentication code.
When possible, tight access restrictions to specific research and data stores should be applied in order to prevent that broad targeting of students and staff.
By putting in access rules people, including threat actors won’t be able to access large amounts of data.
All organisations are vulnerable to phishing attacks and data theft.
Some verticals invest heavily in two-factor authentication and account behavioural analytics to pick up when accounts are acting “outside the norm” as well as tight security controls. These controls can be expensive and take the effort to implement and are often tied to the value given to data or funds to be protected.
A tip from a client gave us the first URL and our analysis progressed from there until we mapped what we believe is most of the attack infrastructure as it was being set up by the attackers.
We were fortunate in the sense that we were able to catch the attackers while they were rolling this campaign out rather than after they had completed it.