‘Cobalt Dickens’ group is phishing universities at scale again, researchers say
An Iran-linked hacking group whose operatives a U.S. jury indicted last year has launched a phishing operation to steal login credentials against computer users at over 60 universities in the United States, the United Kingdom, and elsewhere, researchers said Wednesday.
The campaign, whose aim is likely intellectual property theft, sees victims redirected to spoofed login pages, where their passwords are stolen, said Secureworks, a Dell-owned cybersecurity company that discovered the activity.
“The threat actors have not changed their operations despite law enforcement activity, multiple public disclosures, and takedown activity,” Secureworks said in a blog post.
The most high-profile attempt to disrupt the hackers was the charges the U.S. Department of Justice announced in March 2018 against nine Iranian nationals for breaching the networks of multiple U.S. universities, federal government agencies and U.S. companies. And yet the hacking group, which Secureworks dubs Cobalt Dickens, has used some of the same domains in their new phishing activity that were used prior to the indictment.
The group “has used nearly the exact same tactics over the past 12 months,” suggesting they’ve been effective in achieving their objectives, said Allison Wikoff, senior researcher at Secureworks Counter Threat Unit.
The attackers have registered 20 new domains for the campaign, many of which use valid security certificates to make them seem authentic. In addition to the U.S. and the U.K., universities in Australia, Canada, Hong Kong, and Switzerland were targeted, according to Secureworks.
“In the cases we have investigated, the phishing recipients included students, faculty and staff,” Wikoff told CyberScoop.“There didn’t seem to be a focus on a particular department or unit within the universities.”
The campaign is similar to one uncovered by Secureworks a year ago, which saw the hackers use breached university accounts to send phishing emails.
Universities are natural targets for government-backed hackers interested in propriety research. Security researchers have previously called out hackers associated with North Korea and China for trying to break into university networks.