The US Department of Justice has levelled a series of federal charges against nine members of an Iranian firm, which officials say worked on behalf of the Islamic Revolutionary Guard Corps (IRGC) and other Iranian clients to steal email credentials and more than 31 terabytes of files from universities, companies, government agencies and non-governmental organisations.
The UK’s National Cyber Security Centre issued a statement saying that it: “assesses with high confidence that the Mabna Institute are almost certainly responsible for a multi-year Computer Network Exploitation campaign targeting universities in the UK, the US, as well as other Western nations, primarily for the purposes of intellectual property (IP) theft.”
In a government statement the UK Foreign Office Minister for Cyber, Lord Tariq Ahmad of Wimbledon, welcomed the US indictments saying: “It demonstrates our willingness and ability to respond collectively to cyber-attacks using all levers at our disposal. Today’s action is a further step demonstrating that malicious cyber-activity will not go unpunished. Mabna Institute employees can no longer travel freely, curtailing their career prospects outside of Iran.”
DOJ officials claim the Mabna Institute successfully hacked nearly 8,000 professor email accounts at 144 U.S. universities (and 176 more around the world), exfiltrating assets that American universities spent close to US$ 3.4 billion (£2.4 billion) on procuring and maintaining during the course of the malicious campaign.
The firm would then allegedly sell or distribute the stolen data to Iranian universities and other clients, supplying them with scientific research and intelligence that they could not obtain through honest means.
According to the indictment, the accused hackers performed reconnaissance on tens of thousands of university professors to ascertain their research interests, before launching spear phishing campaigns against their chosen targets.
The phishing emails were designed to look like correspondence from fellow professors expressing an interest in a victim’s published articles, and contained links to what supposedly were additional articles.
However, when victims clicked on the link, they were actually redirected to a malicious phishing domain that appeared to be a log-in page for their own university network – a ruse intended to make them think they were logged out of the system so they would enter their credentials, thus exposing them.
In total, over 100,000 professor accounts were targeted during the course of the operation, the indictment states.
The indictment comes in uncertain times, as the Trump administration ponders the future of the Joint Comprehensive Plan of Action (JCPOA), informally known as the nuclear accord reached between the US and Iran in October 2015.
Some analysts believe this agreement prompted Tehran to scale back on major disruptive cyber-attacks against the US, in anticipation of lighter sanctions against the Middle Eastern regime. However, if proven true, this latest reported incident suggests that Iran continues to aggressively hack targets behind the scenes.