FBI: Iranian Firm Stole Data In Massive Spear Phishing Campaign

The United States Department of Justice announced charges against nine Iranians accused of stealing private data from U.S. universities, private companies and U.S. government agencies.

FBI Deputy Director David Bowdich said in a statement that the state-sponsored hackers worked for more than four years to steal expensive science and engineering-related research, company trade secrets, and sensitive U.S. government information.

The stolen information was used by the Iranian government or sold for profit, said the FBI. According to the indictment, the hackers stole more than 30 terabytes of academic data– IP that totaled $3.4 billion for the U.S. universities to procure.

The nine hackers, who are currently at large, are affiliated with the Mabna Institute, an Iran-based company created in 2013. The FBI said that this company was created for the “express purpose of illegally gaining access to non-Iranian scientific resources through computer intrusions.”

“Members of the institute were contracted by the Islamic Revolutionary Guard Corps—one of several entities within the Iranian government responsible for gathering intelligence—as well as other Iranian government clients,” according to the U.S. indictment. “The exfiltrated data… were obtained for the benefit of the IRGC, and were also sold within Iran, including through two websites.”

The hackers allegedly targeted five U.S. government entities, including the Department of Labor and the Federal Energy Regulatory Commissions.

They are also accused of targeting 144 U.S.-based universities and 176 foreign universities in 21 countries; as well as 50 private companies, the majority of which were U.S. firms.

Spear Phishing and Intrusion Tactics

The FBI said that the hackers initially used an elaborate spear phishing campaign to successfully target the e-mail accounts and computer systems of more than 8,000 professor accounts.

“Their primary goal was to obtain user names and passwords for the accounts of professors so they could gain unauthorized access and steal whatever kind of proprietary academic information they could get their hands on,” said the FBI’s statement.

Hackers would first research professors’ interests and the academic articles they had published, and then sent spear phishing emails to those targets.

The emails, which appeared to be from professors at other universities, tricked many of the victims to click on links that recorded their keystrokes when they signed into what they thought were their secure university domains. In actuality these linked domains were bogus sites controlled by the hackers.

In addition to spearphishing, hackers also began targeting various U.S. federal agencies using a method where they collected lists of names and e-mail accounts through open-source internet searches. The hackers then guessed users’ passwords, hoping that some users never changed default company passwords or used common ones such as “password123,” the FBI said.

Bowdich  said that the victims have been notified so that they could take action to minimize the impact.

Mark Orlando, chief technology officer for cyber services at Raytheon, said it was shocking how simple it was for attackers to use these methods to compromise systems.

“For the universities, all they had to do was email professors, say how much they liked their work, and trick them into clicking over to a fake login page,” he said. “For the other targets, they simply collected e-mail addresses and guessed the passwords.”

The UK National Cyber Security Centre (NCSC) on Monday joined the U.S. in condemning the alleged attacks, particularly relating to universities based in the UK.

NCSC assesses with high confidence that the Mabna Institute were almost certainly responsible for cyber attacks targeting universities around the world, including in the UK https://t.co/I9qvz6GLeg

— NCSC UK (@ncsc) March 23, 2018

“The UK Government judges that the Mabna Institute based in Iran was responsible for a hacking campaign targeting universities around the world. By stealing intellectual property from universities, these hackers attempted to make money and gain technological advantage at our expense,” said Cyber Foreign Office Minister Tariq Ahmad in a statement.

In a statement on Friday, the Iran Foreign Ministry condemned the sanctions: “Indubitably, the US will not be able to use such ploys to stop or prevent Iranian people’s scientific progress,” said Bahram Qassemi on the Iran Foreign Ministry’s website.

Tensions are heating up between Iran and U.S. around cybersecurity. In September, FireEye claimed that an Iranian group called APT33 was behind a cyberespionage campaign – also using the spear phishing method –  targeting aerospace, petrochemical and energy sector firms in the U.S., as well as Saudi Arabia and South Korea.

Moving forward, it’s critical for universities and institutions to prioritize proper cyber security practices as cyberespionage practices ramp up, said Orlando.

“Nation-state hackers will attack anyone and anything they think will help them infiltrate our institutions and infrastructure, so this is a clear call for everyone to get serious about cyber hygiene and realize they, too, can be a target,” said Orlando.