In March 2018, nine Iranians were criminally charged for their involvement with the Mabna Institute, a company federal prosecutors said was created in 2013 for the express purpose of using coordinated cyber intrusions to steal terabytes of academic data from universities, academic journal publishers, tech companies, and government organizations. Almost 18 months later, the group’s hacking activities are still going strong, Secureworks, a Dell-owned security company, said on Wednesday.
The hacking group, which Secureworks researchers call Cobalt Dickens, has recently undertaken a phishing operation that targeted more than 60 universities in countries including the US, Canada, the UK, Switzerland, and Australia, according to a report. Starting in July, Cobalt Dickens used malicious webpages that spoofed legitimate university resources in an attempt to steal the passwords of targeted individuals. The individuals were lured through emails like the one below, dated August 2.
The emails informed targets that their online library accounts would expire unless they reactivated them by logging in. Recipients who clicked on the links landed on pages that looked almost identical to library resources that are widely used in academic settings. Those who entered passwords were redirected to the legitimate library site being spoofed, while behind the scenes, the spoof site stored the password in a file called pass.txt. Below is a diagram of how the scam worked: