Our Universities Are Under (Cyber) Attack!
In what it calls "one of the largest state-sponsored hacking campaigns ever prosecuted," the Department of Justice recently announced charges against 9 Iranian nationals for computer fraud, wire fraud, conspiracy and identity theft. The indictment alleges that the hackers waged a three-year campaign against universities around the world to steal research data and intellectual property valued at over $3 billion—and that campaign has not abated. Institutions of higher education should protect their systems from cyberattacks like the ones alleged in the indictment, which focus on gaining access to confidential information by compromising the e-mail and library accounts of thousands of professors and students.
On March 23, 2018, the Department of Justice indicted 9 Iranian citizens for cyberattacks on 320 American and foreign universities. The indictment alleges that the hackers waged a three-year campaign to penetrate and steal over 31 terabytes of research data and intellectual property valued at more than $3 billion. The victims include 144 American universities, 176 foreign universities spread across 21 countries, 47 private sector companies, and government targets to include the U.S. Department of Labor, the Federal Energy Regulatory Commission, and the states of Hawaii and Indiana, along with the United Nations.
The defendants in the case have been charged with conspiracy to commit computer intrusions, conspiracy to commit wire fraud, wire fraud, unauthorized access of a computer and aggravated identity theft. In addition to the criminal charges, the Department of the Treasury imposed civil sanctions against 10 individuals as well as the Mabna Institute.
According to the indictment, in an effort to steal intellectual property and research data, the hackers worked on behalf of Iran's Islamic Revolutionary Guard Corps and the government-funded Mabna Institute to target more than 100,000 professor e-mail accounts. Using a mix of online research, spear phishing techniques, stolen account credentials and social engineering, the hackers successfully compromised approximately 8,000 of those accounts. The indictment alleges the stolen data was turned over to the Revolutionary Guard Corps and used to benefit Iranian private businesses. Hacked data was put up for sale on a pair of Iranian websites, Megapaper.ir (Megapaper) and Gigapaper.ir (Gigapaper) whose customers included numerous Iranian universities and companies. Gigapaper also provided a service that allowed subscribers to use stolen credentials to access university research and library systems.
In addition to the phishing e-mails described as targeting professors in the federal indictment, cybersecurity researchers have claimed that the alleged hackers launched more than 750 phishing attacks attempting to trick university students and faculty with lures that claimed that their library accounts had expired and instructed them to take immediate action by clicking a link and logging into their accounts. The link, however, actually led to a malicious domain that stole any entered credentials. To appear authentic, the e-mails reportedly used spoofed sender e-mail addresses and a signature block that contained the actual contact information for each recipient's library. Most of the lures contained the subject "Library Account," "Library Notifications," or "Library Services" -- with the name of the university sometimes appended to the subject. The phishing sites themselves also looked like the target library’s actual account login page with similar URLs and content.
In the wake of the indictments, the U.S. House of Representative’s Science, Space and Technology Committee held a joint hearing for its subcommittees on oversight and research. During the hearing, Crane Hasshold of cybersecurity research firm PhishLabs cautioned: “It is important to note that the indictment has not seemed to deter the group from continuing their malicious activity. As of this date of this testimony, I have observed 27 new phishing sites created by the group since the indictment, targeting 20 different universities, ten of which are located in the United States.” Hasshold also pointed out that “[m]uch of the financial impact of phishing attacks incurred by non-financial institutions is related to the costs associated with responding to and mitigating attacks, which includes customer support resources, remediation efforts, impact analysis, and legal fees. In addition, phishing attacks are a significant threat to personal information, which can be used to facilitate additional crimes, such as identity theft and tax fraud.”
In his opening statement at the hearing, Chairman Lamar Smith (R-Texas) reported that “[u]nfortunately, Iran is not the only threat. China has actively and aggressively targeted research and development (R&D) at U.S. academic institutions for years.” According to Chairman Smith, “[t]he Chinese government has been very clear about its long range plans for achieving global domination in critical areas of science and technology. China, however, has been less forthright about its methods, which include theft of confidential information and technological secrets from U.S. companies, cyber-attacks and other forms of spying to undermine our national security and putting sleeper agents at our research universities to steal our scientific breakthroughs.”
The DOJ’s recent indictments are merely the tip of the iceberg in negating the threat of cyberattacks on our nation’s universities. Therefore, it is incumbent on universities to take measures to prevent further attacks by implementing stricter verification processes for their professors, staff, and students to access sensitive research data. For example, online library access could be granted using a two-step process, whereby the user first enters a password and then is prompted to confirm their access request via an application on his or her cell phone. Additionally, universities should regularly educate their faculty, staff, and students about the latest security vulnerabilities and train them on how to recognize and avoid them.
If you have any questions regarding an issue raised in this alert, please contact the author or the attorney at Saul Ewing Arnstein & Lehr LLP with whom you are regularly in contact.