In July and August hundreds universities have been targeted by Iranian hackers. The group, by name Cobalt Dickens, known for its relationship with Iranian government, realized one Phishing attack on universities around the world.
Some security researchers claim that the hackers were affected 380 universities in more than 30 countries. In fact, many of the universities received multiple attacks.
Free domains and TLS certificates
The latest phishing campaign had targeted universities in the UK, the USA, Canada, Switzerland, Australia and Hong Kong. The hackers used it 20 new domain names through the Freenom service, which offers free domain names (.ml, .ga, .cf, .gq, .tk).
The hackers sent one fake email to users of libraries universities and asked them to reactivate their account as it was about to be deactivated. To do this, users would have to open a link that the hackers had placed on emails. Of course, the link was malicious.
The malicious link led to a page that looked very much like the official one σελίδα of the library.
The hackers had arranged to use them valid TLS certificates for its websites, so they won't be suspected. Most of the certificates used in this campaign were free of charge.
The main target of hackers is educational institutions, but they have also attacked private companies. Hackers seem to be trying to steal library account credentials in order to gain access to archives libraries and steal files, which then sell to clients at Iran.
The US Department of Justice has accused 9 people of participating in the campaign.
Many of the attacks are believed to have been made by Islamic Revolutionary Guard Corps (IRGC), an Iranian government entity that collects information.
The hackers reportedly targeted US university 144 computers, 176 universities in 21 other countries as well as private sector company 47 systems.
The hacking team managed to steal more than 31 terabytes in documents and data from victims around the world. However, despite the accusations, the group appears to have been unaffected and to continue its suspicious activities.