Iranian hacker group Cobalt Dickens attacked over 60 universities around the world

The Iranian group, which IS experts call Cobalt Dickens, is still active and attacks universities and other educational institutions around the world.

In the spring of 2018, U.S. authorities indicted in absentia nine Iranian citizens who were members of the “government” hack group affiliated with the Mabna Institute, a company created in 2013 specifically for attacks on universities, editorial boards of scientific journals, technology companies and government organizations.

It was reported that over the years of its existence, the group stole more than 32 terabytes of academic and research data. According to investigators, hackers targeted 100,000 accounts of professors and employees of educational institutions around the world and successfully cracked about 8,000 of them.

Attackers sold the stolen information on the darknet later.

Now, 18 months after this, Secureworks researchers have reported that this group, which experts call Cobalt Dickens, is still active and attacks schools around the world, including the United States, Canada, Britain, Switzerland and Australia.

Read also: Over 600,000 GPS trackers use default passwords and are available to everyone

According to researchers, a recent Cobalt Dickens phishing campaign has targeted 60 different schools. Since July of this year, hackers have used malicious web pages that disguised themselves as real university resources to steal the credentials of their goals.

People were forwarded on such sites using phishing emails containing relevant links.

“As a rule, phishing emails informed victims that their online library account will expire unless they immediately re-activate it by logging in. By clicking on the link from such a message, users were taken to pages that looked like real library resources that are widely used in educational institutions. Of course, all the credentials entered on such pages were handed over to the attackers”, – Secureworks experts report.

Nikolaos Chrysaidos
Attack scheme

To make it harder to detect malicious resources, Cobalt Dickens members protected many of them with HTTPS certificates and also filled fake resources with content extracted from real sites.

So, Cobalt Dickens has registered at least 20 new domains with valid SSL certificates in the .ml, .ga, .cf, .gq and .tk zones. To do this, members of the group used free services and solutions: they used the services of the Freenom hoster, Let’s Encrypt certificates, and found some tools on GitHub.

Secureworks analysts believe that hackers have attacked employees and students from a total of 380 universities in more than 30 countries around the world so far. And, according to experts, these attacks will continue further, despite the charges already brought against the group members.
User Review
0 (0 votes)
Comments Rating 0 (0 reviews)

About Daniel Zimmermann

Daniel Zimmermann has been writing on security and malware subjects for many years and has been working in the security industry for over 10 years. Daniel was educated at the Saarland University in Saarbrücken, Germany and currently lives in New York.

Check Also

Ragnar Locker and Virtual Machines

Ragnar Locker ransomware uses virtual machines to hide their actions

Sophos specialists found that Ragnar Locker malware operators use Oracle VirtualBox and virtual machines running …

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.