In the spring of 2018, the American authorities in absentia charged nine Iranian citizens who, according to them, were members of a “government” hack group affiliated with the Mabna Institute, a company created in 2013 specifically for attacks on universities, scientific journals, technology companies and government organizations.
It was reported that over the years of its existence, the group stole more than 32 terabytes of academic and research data. According to investigators, hackers aimed at 100,000 accounts of professors and employees of educational institutions around the world and successfully cracked about 8,000 of them. Attackers then sold the stolen information on the darknet.
Now, 18 months after that, Secureworks researchers reportedthat this group, which experts call Cobalt Dickens, is still active and attacks schools in different countries of the world, including the USA, Canada, Great Britain, Switzerland and Australia.
According to researchers, a recent Cobalt Dickens phishing campaign has targeted 60 different schools. Since July of this year, hackers have used malicious web pages that disguised themselves as real university resources to steal the credentials of their goals. People were lured to such sites using phishing emails containing relevant links.
Typically, such emails informed victims that their online library account will expire unless they immediately re-activate it by logging in. By clicking on the link from such a message, users were taken to pages that looked like real library resources that are widely used in educational institutions. Of course, all the credentials entered on such pages were handed over to the attackers.
To make it difficult to detect malicious resources, Cobalt Dickens members protected many of them with HTTPS certificates and also filled fake resources with content extracted from real sites. So, Cobalt Dickens has registered at least 20 new domains with valid SSL certificates in the .ml, .ga, .cf, .gq and .tk zones. To do this, members of the group used free services and solutions: they used the services of the Freenom hoster, Let's Encrypt certificates, and found some tools on GitHub.
Secureworks analysts believe that hackers have attacked employees and students from a total of 380 universities in more than 30 countries around the world so far. And, according to experts, these attacks will continue further, despite the charges already brought against the group members.