The COBALT DICKENS threat group stayed busy over the summer by launching a new global phishing operation targeting universities.In July and August 2019, Secureworks’ Counter Threat Unit (CTU) researchers observed COBALT DICKENS using compromised university resources to send out library-themed phishing emails. These emails differed from those used in the Iranian threat group’s previous campaigns, as they did not employ shortened links. Instead, the messages contained spoofed URLs for a targeted university’s resources.
Phishing message containing a link to a spoofed domain circled in red. (Source: Secureworks)Overall, COBALT DICKENS registered over 20 new domains from Freenom, a domain provider which administers “.ml,” “.ga” and other top-level domains, to target universities in Australia, the United States, the United Kingdom, Canada, Hong Kong and Switzerland. Attackers took the extra step of protecting these domains using valid digital certificates purchased from Lets Encrypt. Doing so lent an additional sense of legitimacy to their domains, on which they displayed spoofed login pages for university resources which they had previously copied using publicly available tools.The Counter Threat Unit team said the operation’s scope has broadened over time. As quoted in its research
of the campaign:As of this publication, CTU researchers observed COBALT DICKENS targeting at least 380 universities in over 30 countries. Many universities have been targeted multiple times. The threat actors have not changed their operations despite law enforcement activity, multiple public disclosures, and takedown activity.Indeed, the Department of Justice announced
that it had charged nine Iranians for having penetrated the computer systems of hundreds of universities in order to steal research and intellectual property. But that crackdown seemingly did not slow the activit ..