‘Cobalt Dickens’ group is phishing universities at scale again, researchers say

A 2018 indictment hasn't disrupted the Iran-linked hacking group.
iran vpn
A picture of Tehran, Iran. (Getty)

An Iran-linked hacking group whose operatives a U.S. jury indicted last year has launched a phishing operation to steal login credentials against computer users at over 60 universities in the United States, the United Kingdom, and elsewhere, researchers said Wednesday.

The campaign, whose aim is likely intellectual property theft, sees victims redirected to spoofed login pages, where their passwords are stolen, said Secureworks, a Dell-owned cybersecurity company that discovered the activity.

“The threat actors have not changed their operations despite law enforcement activity, multiple public disclosures, and takedown activity,” Secureworks said in a blog post.

The most high-profile attempt to disrupt the hackers was the charges the U.S. Department of Justice announced in March 2018 against nine Iranian nationals for breaching the networks of multiple U.S. universities, federal government agencies and U.S. companies. And yet the hacking group, which Secureworks dubs Cobalt Dickens, has used some of the same domains in their new phishing activity that were used prior to the indictment.


The group “has used nearly the exact same tactics over the past 12 months,” suggesting they’ve been effective in achieving their objectives, said Allison Wikoff, senior researcher at Secureworks Counter Threat Unit.

The attackers have registered 20 new domains for the campaign, many of which use valid security certificates to make them seem authentic. In addition to the U.S. and the U.K., universities in Australia, Canada, Hong Kong, and Switzerland were targeted, according to Secureworks.

“In the cases we have investigated, the phishing recipients included students, faculty and staff,” Wikoff told CyberScoop.“There didn’t seem to be a focus on a particular department or unit within the universities.”

The campaign is similar to one uncovered by Secureworks a year ago, which saw the hackers use breached university accounts to send phishing emails.

Universities are natural targets for government-backed hackers interested in propriety research. Security researchers have previously called out hackers associated with North Korea and China for trying to break into university networks.

Sean Lyngaas

Written by Sean Lyngaas

Sean Lyngaas is CyberScoop’s Senior Reporter covering the Department of Homeland Security and Congress. He was previously a freelance journalist in West Africa, where he covered everything from a presidential election in Ghana to military mutinies in Ivory Coast for The New York Times. Lyngaas’ reporting also has appeared in The Washington Post, The Economist and the BBC, among other outlets. His investigation of cybersecurity issues in the nuclear sector, backed by a grant from the Pulitzer Center on Crisis Reporting, won plaudits from industrial security experts. He was previously a reporter with Federal Computer Week and, before that, with Smart Grid Today. Sean earned a B.A. in public policy from Duke University and an M.A. in International Relations from The Fletcher School of Law and Diplomacy at Tufts University.

Latest Podcasts