Hundreds of universities targeted in global data steal

Information emerged last week of data stolen from universities around the world after the United States Department of Justice released details indicting nine Iranian nationals for stealing research from universities, research institutions, technology companies and other organisations, including the United Nations.

The amount of data stolen is staggering in scale, equivalent to eight billion double-sided pages of text. More than 300 universities were targeted and around 8,000 professors’ email accounts were compromised, it is alleged.

The information stolen from universities was used by the Islamic Revolutionary Guard Corps (IRGC) – Iran’s intelligence organisation and other Iranian government and university clients – or sold for profit inside Iran, according to US Deputy Attorney General Rod Rosenstein, releasing the indictment details on 23 March.

According to the indictment, the attacks by the Iranian-led Mabna Institute, a consultancy company, aimed to “assist Iranian universities, as well as scientific and research organisations, to obtain access to non-Iranian scientific resources”.

Some 144 US university accounts were breached and 176 universities in 21 other countries were hacked. Academic data and intellectual property were stolen across all fields of research including science, technology, engineering, social sciences and medicine, according to the US Federal Bureau of Investigation (FBI).

Most of the targeted universities are in the US, United Kingdom, Canada and Australia – with the most heavily targeted in the US and UK. But others are in Europe – France, Spain, Germany, Ireland, Italy, the Netherlands, Switzerland, Denmark, Sweden and Turkey – and elsewhere, in China, Japan, South Korea, Singapore, Malaysia, Saudi Arabia, Israel and South Africa.

A number of cybersecurity organisations including PhishLabs in Charleston, US, subsequently released details of their own investigations into the Iranian attack group run by the Mabna Institute, dubbed ‘Silent Librarian’.

“Looking at the list of university targets, it is clear that they are not randomly selected. All of the universities targeted in the Silent Librarian campaigns are generally prominent research, technical or medical universities,” said Crane Hassold, director of threat intelligence at PhishLabs, in a blog posted on 26 March.

Few of the universities themselves have been named in the official indictment, but PhishLabs notes some have been targeted numerous times over the past four to five years, such as Australia’s Monash University, “targeted more than two dozen times by the group since the beginning of 2017”. Research establishments such as Los Alamos National Laboratory in New Mexico, US, and research data provider Thomson Reuters have also been subject to attacks.

The attacks tracked by PhishLabs also targeted university students and faculty to collect credentials from victims' university library accounts.

‘Staggering’ scale of attacks

FBI Assistant Director William Sweeney said in a statement: “The numbers alone in this case are staggering, over 300 universities and 47 private sector companies, both here in the United States and abroad, were targeted to gain unauthorised access to online accounts and steal data.”

Sweeney added: “An estimated 30 terabytes was removed from universities’ accounts since this attack began, which is roughly equivalent of eight billion double-sided pages of text. It is hard to quantify the value of the research and information that was taken from victims but it is estimated to be in the billions of dollars.”

“By stealing intellectual property from universities, these hackers attempted to make money and gain technological advantage at our expense,” Tariq Ahmad, the UK’s Foreign Office minister responsible for national cyber security, said in a statement released 23 March.

“The UK’s National Cyber Security Centre assesses with high confidence that the Mabna Institute is almost certainly responsible for a multi-year Computer Network Exploitation (CNE) campaign targeting universities in the UK, the US, as well as other Western nations, primarily for the purposes of intellectual property (IP) theft,” the statement said.

However, Iran’s Foreign Ministry spokesman Bahram Qasemi on 24 March called the accusations "false".

"Iran condemns the United States' provocative, illegal and unjustified actions, which are a major new sign of the hostility and animosity of US leaders towards the Iranian people," Qasemi said in a statement on the ministry's website. "They will not prevent the scientific development of the Iranian people."

With the alleged perpetrators not on US soil, the indictment is largely symbolic, although those charged cannot travel to the US and could be subject to other sanctions such as asset freezes.

Mabna Institute

Mabna Institute founders Gholamreza Rafatnejad and Ehsan Mohammadi, along with seven other Iranians, all of them still in Iran, have been charged with computer fraud, conspiracy and identity theft.

“While the company’s name may sound legitimate, the so-called institute was set up for one reason only: to steal scientific resources from other countries around the world,” said Geoffrey Berman, the US attorney for the US Attorney's Office for the Southern District of New York, which brought the case.

The Mabna Institute, through the activities of the defendants, targeted more than 100,000 accounts of professors around the world. They successfully compromised approximately 8,000 professors’ email accounts across 144 US-based universities, and 176 universities located in foreign countries, the indictment said.

According to the 29-page indictment, the perpetrators first “conducted online reconnaissance of university professors, including to determine these professors’ research interests and the academic articles they had published,” before sending out customised spear-phishing emails.

“The spear-phishing emails created by the conspiracy purported to be sent from professors at one university and were directed to victim professors at another university,” indicating the sender had read a paper published by the targeted professor and expressing an interest in other articles with links provided to these articles.

If the targeted professor clicked on the link they would be directed to a malicious internet domain with a confusingly similar name to the professor’s authentic university.

Links in the emails would direct the professors to pages that made it appear that they had accidentally logged out of their university account and needed to re-enter their user credentials.

Online sites – research for sale

According to the indictment, the hackers not only passed the information to Iranian security services, but also sold it online on two websites – Megapaper.ir and Gigapaper.ir, using the same sites to sell access to compromised university accounts.

“Megapaper sold stolen academic resources to customers within Iran, including Iran-based public universities and institutions, and Gigapaper sold a service to customers within Iran whereby purchasing customers could use compromised university professor accounts to directly access the online library systems of particular US-based and foreign universities,” the indictment states.

Hassold says PhishLabs discovered a third website, Uniaccount.ir, which the FBI appears to have missed, and which, according to domain data, was also allegedly operated by one of the nine hackers charged last week.

The perpetrators in one case used hacked accounts to sell the accounts of individual universities. Individual research journal articles, e-books and other documents are also advertised for sale on the Uniaccount website.

PhishLabs says Uniaccount offered different types of membership to buyers. Regular membership, available for 18,000 Tomans (approximately US$5), provided access to a variety of academic journals and five articles from "rare journals" for a two-month period. "Golden" membership for 50,000 Tomans (approximately US$15) provided access to passwords to the "best universities" and 15 articles from rare journals, also for a two-month period.