COBALT DICKENS Phishing Campaign Targets Global Universities for Credential Theft
- Actor Motivations: Exfiltration,Financial Gain
- Attack Vectors: Brute-force,Compromised Credentials,Phishing
- Attack Complexity: Low
- Threat Risk: Low Impact/High Probability
Threat Overview
In August 2018, Secureworks researchers uncovered a credential-stealing campaign targeting universities worldwide, likely conducted by the Iranian-linked COBALT DICKENS group. The attackers used spoofed login pages for 76 universities across 14 countries, including the US, UK, Canada, Israel, and Australia. By creating lookalike domains, the group aimed to phish victims and steal credentials, likely to access intellectual property and academic resources. The infrastructure supporting the campaign was actively developed, with many domains registered just before the attacks. The group's tactics mirrored prior operations targeting academic institutions, despite public indictments against members earlier that year.
Detected Targets
| Type | Description | Confidence |
|---|---|---|
| Sector | University | Verified |
| Region | Australia | Verified |
| Region | Canada | Verified |
| Region | China | Verified |
| Region | Germany | Verified |
| Region | Israel | Verified |
| Region | Italy | Verified |
| Region | Japan | Verified |
| Region | Netherlands | Verified |
| Region | South Africa | Verified |
| Region | Switzerland | Verified |
| Region | Turkey | Verified |
| Region | United Kingdom | Verified |
| Region | United States | Verified |
Extracted IOCs
- anvc[.]me
- ebookfafa[.]com
- eduv[.]icu
- jhbn[.]me
- lib-service[.]com
- nimc[.]cf
- uncr[.]me
- unie[.]ga
- unie[.]ml
- unin[.]icu
- unip[.]cf
- unip[.]gq
- unir[.]cf
- unir[.]gq
- unir[.]ml
- unisv[.]xyz
- univ[.]red
- untc[.]me
- untf[.]me
- unts[.]me
- unvc[.]me
- 208[.]115.226.68
Tip: 22 related IOCs (1 IP, 21 domain, 0 URL, 0 email, 0 file hash) to this threat have been found.
Overlaps
Source: Secureworks - September 2019
Detection (21 cases): anvc[.]me, ebookfafa[.]com, eduv[.]icu, jhbn[.]me, lib-service[.]com, nimc[.]cf, uncr[.]me, unie[.]ga, unie[.]ml, unin[.]icu, unip[.]cf, unip[.]gq, unir[.]cf, unir[.]gq, unir[.]ml, unisv[.]xyz, univ[.]red, untc[.]me, untf[.]me, unts[.]me, unvc[.]me
Hint: Overlaps are extracted automatically by examining the IOCs associated with all indexed threats and actors.
FAQs
Frequently Asked Questions About the COBALT DICKENS University Targeting Campaign:
COBALT DICKENS is a threat group believed to be associated with the Iranian government. They are known for engaging in cyber operations that involve creating spoofed or lookalike domains to phish targets, stealing credentials, and ultimately gaining access to intellectual property, particularly from library systems and other online resources. They have been previously indicted for similar activities between 2013 and 2017.
The attack involved a large-scale credential-stealing campaign using spoofed university login pages. The threat actors created numerous fake websites and login pages that closely resembled those of legitimate university systems. Victims were redirected to these fake pages and unknowingly provided their login credentials. They were then redirected to the legitimate university site, creating the impression that the login had been successful.
The campaign targeted 76 universities across 14 different countries, including Australia, Canada, China, Israel, Japan, Switzerland, Turkey, the United Kingdom, and the United States. This indicates a global reach and a substantial effort by the threat actors to compromise academic institutions worldwide.
The spoofed domains often referenced the universities’ online library systems. This suggests that the threat actors were specifically aiming to gain access to academic research, intellectual property, and other resources available through these systems.
The attackers registered numerous domains that closely resembled university URLs. They then created websites that looked identical to the legitimate login pages of the targeted universities. When users entered their credentials on these fake pages, the information was captured by the attackers. Victims were then often redirected to the actual login page for the university, either automatically logged in, or prompted to log in again giving the false impression that the initial attempt had succeeded.
Universities are often attractive targets due to a combination of factors: they possess valuable intellectual property and cutting-edge research; they are often less heavily secured than finance or healthcare organizations; and their environments can include a large and diverse population of researchers, staff, and students. This makes them more vulnerable to attack. Additionally, the global nature of universities, with researchers and students coming from all over the world, enhances the appeal to threat actors seeking intellectual property and data.
Security researchers strongly recommend several measures to mitigate these types of attacks, including:
- Implementing multi-factor authentication on all publicly accessible systems.
- Enforcing complex password requirements to reduce vulnerability to credential theft.
- Providing training programs to educate users about security threats, especially regarding recognizing and reporting suspicious emails and links, including phishing attempts.The report provided some specific indicators of compromise (IOCs), including several domain names used to host phishing websites. They also provided the IP address associated with the attack infrastructure. However, it was noted that IP addresses can be reallocated, and those listed may be or become malicious. Therefore, caution is advised before opening links to those indicators in a browser.