Iranians steal academic resources in bid to counter sanctions; Google shuts Iranian subversion efforts

News by SC Staff

Iran is identified as responsible for hacking international university resources to circumvent sanctions and access the latest research information, while Google shuts covert Iranian political influence bid.

Iran is identified as responsible for hacking international university resources to circumvent sanctions and access the latest research information.

It is estimated educational resources which could have cost some £2.6 billion had they been sold, have been stolen from 76 universities in 14 countries including the UK, USA, Australia, Canada, China, Israel, Italy, Japan, Netherlands, Malaysia, South Africa, Switzerland and Turkey.

Students just starting university are a relatively easy target for phishers, unfamiliar with the systems on their new courses and the hackers have targeted them via 300 spoofed websites and log-in pages,16 spoof domains as well as phishing to steal legitimate student credentials. Most of the fake domains were registered between May and August, the most recent on 19 August.

Secureworks® Counter Threat Unit™ (CTU) researchers discovered that students logging in to the fake pages are redirected to the legitimate website where they are automatically logged into a valid session or prompted to enter their credentials again. They report that spoofed domains referenced the targeted universities' online library systems, indicating the threat actors' intent to gain access to these resources. In a press statement Secureworks notes how the targeting of this attack is similar to previous cyber-operations by COBALT DICKENS, a threat group associated with the Iranian government, and that it also shared infrastructure with the August attack.

Back to School: COBALT DICKENS Targets Universities.
CTU analysis suggests that it may still be the COBALT DICKENS group that is responsible for these university attacks even though the US Department of Justice indicted nine Iranian nationals for their COBALT DICKENS activity in March.

In a separate development In recent months Google has spurned phishing attacks and thwarted and terminated and attributed suspicious activities on some accounts to actors working on behalf of the Islamic Republic of Iran Broadcasting (IRIB).

Google worked with FireEye to ferret out malicious activity and bad actors. Noting that Google couldn't reveal all the technical details of the probe without making itself vulnerable to attack, company senior vice president of Global Affairs Kent Walker wrote in a blog post that the companies found technical and IP information related to the IRIB.

"Account metadata and subscriber information associated with these actors is strongly linked to the corresponding information associated with the IRIB, indicating common ownership and control," Walker wrote. "These facts, taken together with other technical signals and analysis, indicate that this effort was carried out as part of the overall operations of the IRIB organisation, since at least January 2017."

Google took aim at accounts and individuals tied to Iran, shutting down 39 YouTube channels, six blogs on Blogger and 13 Google+ accounts.

Rick Moy, chief marketing officer (CMO) at Acalvio, praised Google for its "efforts to track and terminate deceptive campaigns of influence run by inauthentic nation-state actors," calling them "a step in the right direction."

Noting that "deception is one of the most effective and pernicious cyber-threats facing Americans and democracy today," Moy said, "This coordinated action with other security organisations should be welcomed. While some may characterise this as censorship, the evidence presented in the reports is transparent and open to vetting and analysis by the broader community."

But Joseph Kucic, CSO at Caborin said while "Everyone appreciates any action taken to prevent any inference with the US political process...we must be careful that private actions done outside of the appropriate legal framework can result in exactly the opposite results that those actions were trying to protect against."

Kucic called for a governmental process, "similar to a FISA court, where appropriate oversight is in place prior to private companies taken actions against perceived bad actors (individuals and/or companies)."

Otherwise, he said, "bad actors will purposely target individuals that they want to damage and cause these positive actions to become tools to be used against innocent people."

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews

Interview - Everyone has an Achilles heel: The new security paradigm

How can we defend networks now that the perimeter has all but disappeared?
Brought to you in partnership with ExtraHop