Hackers associated with the Iranian government have set their sights on universities in the United States and abroad in spite of previously drawing ire from the Trump administration in response to similar cyberattacks, security researchers warned Friday.
SecureWorks, an Atlanta-based subsidiary of Dell Technologies, reported that its threat researchers recently discovered evidence of a broad credential-stealing campaign using infrastructure previously connected to Iranian state-sponsored hackers potentially affecting victims from dozens of universities around the world.
Researchers found more than 300 spoofed websites and login portals that had been created to resemble legitimate pages for 76 universities across 14 countries, including Australia, Canada, China, Israel, Japan, Switzerland, Turkey, the United Kingdom and the U.S., SecureWorks said in a blog post.
“After entering their credentials into the fake login page, victims were redirected to the legitimate website where they were automatically logged into a valid session or were prompted to enter their credentials again,” the company explained. “Numerous spoofed domains referenced the targeted universities’ online library systems, indicating the threat actors’ intent to gain access to these resources.”
It was not immediately clear if the hackers were successful and to what extent, but SecureWorks said that new spoofed domains were created as recently as earlier this week.
Infrastructure associated with the spoofed web addresses was previously linked to an Iranian government hacking group that SecureWorks has called “Cobalt Dickens,” also known as “Silent Librarian,” accused of conducting a similar, multiyear cyber theft campaign targeting universities, companies, government agencies and non-governmental organizations.
“Universities are attractive targets for threat actors interested in obtaining intellectual property,” SecureWorks said. “In addition to being more difficult to secure than heavily regulated finance or health care organizations, universities are known to develop cutting-edge research and can attract global researchers and students.”
The Department of Justice unsealed criminal charges in March against nine Iranian nationals in connection with activity conducted by Cobalt Dickens, but SecureWorks said its research suggests the same group is responsible for waging the more recent campaigns starting merely two months after the Trump administration’s indictments.
The Justice Department did not immediately return an email seeking comment on SecureWorks’ report.