Researchers from Secureworks' Counter Threat Unit have been tracking a threat group spoofing login pages for universities. Evidence suggests the Iranian group Cobalt Dickens is likely responsible.
Dave Bittner: [00:00:03] Hello everyone, and welcome to the CyberWire's Research Saturday presented by the Hewlett Foundation's Cyber Initiative. I'm Dave Bittner,and this is our weekly conversation with researchers and analysts tracking down threats and vulnerabilities, and solving some of the hard problems of protecting ourselves in a rapidly evolving cyberspace. Thanks for joining us.
Dave Bittner: [00:00:26] And now, a moment to tell you about our sponsor, the Hewlett Foundation's Cyber Initiative. While government and industry focus on the latest cyber threats, we still need more institutions and individuals who take a longer view. They're the people who are helping to create the norms and policies that will keep us all safe in cyberspace. The Cyber Initiative supports a cyber policy field that offers thoughtful solutions to complex challenges for the benefit of societies around the world. Learn more at hewlett.org/cyber.
Dave Bittner: [00:00:56] And thanks also to our sponsor, Enveil, whose revolutionary ZeroReveal solution closes the last gap in data security: protecting data in use. It's the industry's first and only scalable commercial solution enabling data to remain encrypted throughout the entire processing lifecycle. Imagine being able to analyze, search, and perform calculations on sensitive data - all without ever decrypting anything. All without the risks of theft or inadvertent exposure. What was once only theoretical is now possible with Enveil. Learn more at enveil.com.
Allison Wikoff: [00:01:42] So we discovered a URL that spoofed a university login, and essentially worked our way back from there.
Dave Bittner: [00:01:48] That's Allison Wikoff. She's a senior security researcher with Secureworks Counter Threat Unit. The research we're discussing today is titled "Back to School: COBALT DICKENS Targets Universities."
Allison Wikoff: [00:01:59] And just by looking at passive DNS records for that domain hosting the URL and other aspects of the site, we were able to identify that this activity was much larger than just one university being spoofed.
Dave Bittner: [00:02:11] So give us an idea of the scope here. How many folks were they going after?
Allison Wikoff: [00:02:16] So in the initial reporting that you've read, we had a much smaller scope than what actually came to be. So, overall, since public reporting, we have discovered that about a hundred and fifty-four universities in twenty different countries had been targeted by this particular campaign.
Dave Bittner: [00:02:34] Now take us through - how did they go about it? What were they up to?
Allison Wikoff: [00:02:37] So, initially, we just had the URLs. And in looking at the URLs, they nearly exactly mimicked login pages for various university resources. Mainly, it appeared that they were targeting library resources. However, the end-part of that URL was in fact the adversary domain. So, for an untrained eye, it would look like you're clicking on a link that belongs to a university where you should be logging in, but that wasn't in fact the case.
Allison Wikoff: [00:03:06] And looking at this, we believed that they were using these URLs to phish the university targets, and after publishing our research publicly - one of the really great things happens when you publish research publicly - other people who have observed the activity will come out and provide you more information. So, one of the side effects for us when we published this publicly, was that we heard from a lot of folks who had observed the activity and were able to learn even more about what exactly was going on here.
Allison Wikoff: [00:03:37] So, we actually were able to get some of the contents of some of the phishing messages that were used, which was really intriguing. So we were able to confirm that COBALT DICKENS leveraged these domains in phishing messages sent to folks associated with the universities whose web pages are being spoofed. And in the messages themselves, they were generally library-themed, which we sort of guessed from the way the URLs were structured. But we saw that, instead of using the URL that we had discovered, they were using shortened links to mask this fake domain, or this fake login page that they created.
Allison Wikoff: [00:04:12] And there was actually two levels of redirection, which was fairly interesting. The phishing message had - in some of the messages that we reviewed - had a Google shortened link, which then resolved to another shortened link, and then resolved to the actual domain that was created by the adversaries.
Dave Bittner: [00:04:31] So taking several hops to get to the final destination.
Allison Wikoff: [00:04:34] Absolutely, yeah. We think they were doing that as a layer of obscurity.
Dave Bittner: [00:04:38] Now, when you say targeting libraries at these universities, what does that mean in a university context? What's the implication of that?
Allison Wikoff: [00:04:47] You know, it's hard to say, because a lot of these library resources are shared among universities. They're not always specific to a particular university that these folks were targeting, but we're assuming that they were going after these resources for some sort of intellectual property gain.
Dave Bittner: [00:05:03] And what kind of things would they be after? Are we talking about university research, primarily?
Allison Wikoff: [00:05:07] It could be university research. It could just be the online academic journals. It's really hard to say what the specifics were that they were going after. The interesting piece of this is that we think they were going after not just university faculty, but potentially students as well, which is a real challenge for universities in defending their networks, because they don't own student devices. It's a challenge. How do you how do you educate these folks and students on phishing tactics? We talk about it a lot, but it's really hard to protect students and people who aren't a part of the corporate domain, but who are accessing your resources.
Dave Bittner: [00:05:44] Now, you mentioned that you were able to get your hands on some of the phishing messages. How targeted were they? Was this a shotgun approach, or did it seem like they're going after specific individuals?
Allison Wikoff: [00:05:54] It was really hard to say, because we only got a very small sample size of some of the messages that were sent out. So it was difficult for us to determine whether it was one specific type of user within the university, or if it was limited to, you know, a particular subset of the university. Very hard to say.
Dave Bittner: [00:06:13] Was there anything to be gleaned from the targets that they chose? Was there any pattern to that? Were they going after specific European countries or North American countries? Is there anything from there, or was it fairly random?
Allison Wikoff: [00:06:26] The targeting was fairly random, I'd say. There was a pretty large smattering of universities targeted in the US, but I'm not sure if that was because there's just a lot more land space in the US, and there's a lot more universities to go after. We couldn't determine if there was a specific type of university that they were going after either.
Dave Bittner: [00:06:46] So, tell me about COBALT DICKENS. What does this group - who do you think is behind this?
Allison Wikoff: [00:06:52] So, COBALT DICKENS is a nomenclature that Secureworks used to identify the cluster of threat activity, but we believe it's associated with the Iranian government. The activity that we saw was very similar to activity that was reported on earlier in the year by the US Department of Justice. They actually issued an indictment on an Iranian company and several Iranian individuals associated with that company that performed similar activity over the course of 2013 to 2017.
Dave Bittner: [00:07:23] Now, have you seen any shift in their activities since your research has been published? Have they backed off any, or - or they still seem to be at it?
Allison Wikoff: [00:07:31] Well, the days following the publishing of our research, we did see a couple more domains being created, which was interesting. But the more intriguing aspect of this particular campaign is that it's nearly identical to a lot of campaigns that were associated with this adversary prior to the public disclosure by the Department of Justice.
Dave Bittner: [00:07:52] And are those campaigns that you all were tracking as well?
Allison Wikoff: [00:07:55] This is the first time we've directly observed this activity, but we were aware of the activity happening prior.
Dave Bittner: [00:08:02] I see. And so, in terms of advice for the folks who are targeted here, how can they protect themselves?
Allison Wikoff: [00:08:08] So, I think it's a real challenge for universities to protect themselves from this kind of threat. Again, they don't own their student resources, and in this case, we think that some students may have been targeted. Again, because it doesn't matter if it's student or faculty, in terms of getting access to the resources - they just wanted them.
Allison Wikoff: [00:08:25] So, I think it's a twofold approach. One, training. And I think that's sort of old news in the industry. Security professionals talk so much about end user training, particularly when it comes to phishing, and unfortunately, training is really not enough. All you need is - we always say - is one person to click. But I think really considering multi-factor authentication on sensitive resources. Anything that can be accessed remotely outside of the university network with the username and password, it's - if it's really important to the university, really need to consider some additional factor outside of the password to secure that resource.
Dave Bittner: [00:09:04] Now, in the process that they used here to steal these credentials, they would send you to a duplicate site, but then often they would just loop you back into the actual original university site?
Allison Wikoff: [00:09:18] Correct.
Dave Bittner: [00:09:20] And so, for the user, you may not know that anything had happened?
Allison Wikoff: [00:09:22] Absolutely.
Dave Bittner: [00:09:24] Yeah, that's interesting.
Allison Wikoff: [00:09:26] Yeah. And the sites were very tricky too. So, we learned that, in addition to moving folks to the legitimate site, on the spoofed site the adversaries created certificates. So, you know, the average end user doesn't look to see what certificate's issued to the site that they're logging into. They just look for that little lock box or, you know, "HTTPS" in the URL, to think, okay, well, I'm at a secure site, this must be the site I'm logging into. So, we think that those certificates were created to make the sites appear more legitimate.
Dave Bittner: [00:09:59] Yeah. Yeah, it's interesting - it's almost camouflage. You know, like you said, it's the shorthand. And as you said earlier, you know, I would imagine, especially for students who may not be as sophisticated, they see that lock and they think, I'm logged into my university portal here and everything's fine.
Allison Wikoff: [00:10:17] Agreed. So, before we went public with this particular piece of research, we worked really hard to notify the registrars who were hosting the malicious domains. We also got in touch with law enforcement in many of the affected countries, as well as a lot of the national CERTs, just to make sure that we could actually disrupt this campaign. So, we found it very early on in the stages, so much so that infrastructure was still being created around it. We are hoping that we were able to disrupt this campaign in some way, shape, or form.
Dave Bittner: [00:10:49] Now, how about - have you gotten any feedback from the universities themselves? Any contact and responses from them?
Allison Wikoff: [00:10:56] We haven't, and I wouldn't expect to for ones that aren't Secureworks clients, but I'm sure that, in light of the dollar amount of content that was stolen initially by this group, I'm sure that they're grateful that these domains have been turned off.
Dave Bittner: [00:11:10] Right. Right. They benefit from the attention from law enforcement and the - I guess the interruption of the campaign in general.
Allison Wikoff: [00:11:18] Absolutely.
Dave Bittner: [00:11:23] Our thanks to Allison Wikoff for joining us. She's from the Secureworks Counter Threat Unit research team. The research is titled "Back to School: COBALT DICKENS Targets Universities." You can find it on the Secureworks website. We'll have a link in the show notes.
Dave Bittner: [00:11:38] Thanks to the Hewlett Foundation's Cyber Initiative for sponsoring our show. You can learn more about them at hewlett.org/cyber.
Dave Bittner: [00:11:46] And thanks to Enveil for their sponsorship. You can find out how they're closing the last gap in data security at enveil.com.
Dave Bittner: [00:11:54] The CyberWire Research Saturday is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. The coordinating producer is Jennifer Eiben. Editor is John Petrik. Technical editor is Chris Russell. Executive editor is Peter Kilpe. And I'm Dave Bittner. Thanks for listening.
Copyright © 2019 CyberWire, Inc. All rights reserved. Transcripts are created by the CyberWire Editorial staff. Accuracy may vary. Transcripts can be updated or revised in the future. The authoritative record of this program is the audio record.
The Hewlett Foundation makes grants to proactively define, research and manage the burgeoning intersections between people and digital technologies. The Cyber Initiative seeks to cultivate a field that develops thoughtful, multidisciplinary solutions to complex cyber challenges and catalyzes better policy outcomes for the benefit of society. Learn more at hewlett.org/cyber.
Enveil is revolutionizing data security by addressing a Data in Use vulnerability that people have been chasing for more than 20 years. Founded by U.S. Intelligence Community alumni, Enveil’s ZeroReveal™ solutions ensure data remains encrypted throughout the processing lifecycle. Learn more at www.enveil.com.