Cobalt Dickens hackers are back: launched attack targeting 60 universities

Iranian hacking group behind a new targeted email campaign 18 months after being charged for stealing academic data

Hackers came back with phishing campaignIranian phishers hit 60 universities after being charged for stealing data back in March 2018. Hackers associated with the Iranian government released a new phishing operation targeting more than 60 universities in four continents.[1] Back in March 2018, the same group of nine Iranian phishers was revealed by the U.S Department of Justice for affecting hundreds of universities that were involved into the fraudulent campaign seeking for intellectual property.[2]

Researchers state that the group dubbed “Cobalt Dickens” is still using free certificates, phishing emails, and other publicly available tools. However, it has also registered twenty new domains with valid security certificates to make websites seem more legitimate and authentic, so people from universities in Australia, Canada, Switzerland, and Hong Kong would fall for their scams.

According to Allison Wikoff from SecureWorks Counter Threat Unit researcher team, attacks from Cobalt Dickens were random, and hackers didn't have any particular target in mind:

In the cases we have investigated, the phishing recipients included students, faculty and staff. There didn’t seem to be a focus on a particular department or unit within the universities.

Phishing emails with links to spoofed library login pages used to collect passwords

The recent phishing campaign launched by Cobalt Dickens was practically identical to the campaign a year ago.[3] Library-themed emails were sent to people from the university, including students, staff, and professors. They were stating that user's account is about to expire, will be closed due to inactivity or other issues, and encouraged the victim to follow the link to login to the library's account, and solve the problem.[4]

Unfortunately, once the hyperlink was clicked, the URL directed the victim to the page identical to library's which was asking to reactivate account by logging in. However, those newly-entered passwords were saved into the file named pass.txt.

To make the phishing campaign successful, hackers have also registered more than 20 new domains with the help of Freenom provider and altered many domains from previous attacks. HTTPS, SSL certificates, content copied from legitimate university websites also helped them fake the authenticity of these spoofed sites.

Several traces left by hackers helped researchers identify Cobalt Dickens group

A few traces left in the source code indicated more details about the hacker group and the campaign itself. The particular comment in the source code showed that the original site's version was copied back in May, 2017 from the University that got affected back in August 2018 and July-August 2019. Also, the specific time when the data was saved from a particular page is showing the location of the malicious actors because Iranian-related timestamp is left in the source code.

Although Cobalt Dickens group has already faced law enforcement institutions and has been charged, phishers are still active. Public domains got taken down, but at least 380 universities in more than 30 different countries got affected in total. Many of them have suffered multiple times. While some of the victims have learned the lesson and implemented security controls,[5] there are numerous universities, government institutions, and businesses that are poorly protected. Unfortunately, they still remain highly targeted by malicious actors.[6]

About the author
Olivia Morelli
Olivia Morelli - Ransomware analyst

Olivia Morelli is News Editor at She covers topics such as computer protection, latest malware trends, software vulnerabilities, data breaches, and more.

Contact Olivia Morelli
About the company Esolutions