How Universities Should Respond to Iranian Hacking Charges

Silent Librarian Sepia

Last week, news broke that an Iranian hacker network, Mabna Institute, had been systematically stealing data from universities across the US and abroad.

It’s unclear precisely how much data has been compromised, but it has been estimated to have cost US universities around $3.4 billion dollars to collect and maintain.

While the administration has announced sanctions and criminal indictments against the group, it’s highly unlikely any of the actors involved will receive punishment.

So if you happen to work for a university, or be responsible in some capacity for the data security of a university, you’d be forgiven for wondering “…What now?

To answer that question, it’s important to understand how these hackers have been operating.

Phishing… Again

Here’s the thing about data theft. The absolute easiest way to steal sensitive data is to compromise one or more privileged accounts, take control of them, and exfiltrate data at your convenience.

And how do you compromise an account? Simple: You use targeted spear phishing campaigns, backed by phishing sites designed to trick victims into entering their credentials into what looks like a legitimate login form.

That’s it.

There are other ways to do it, but this process is by far the simplest and most effective. As a result, hacking groups fall back on spear phishing time and time again for credential theft and account takeover.

In this case, PhishLabs analysts identified over 750 phishing attacks attributed to the group. For the most part, the attacks were aimed at professors and other faculty members, though in some cases students were also targeted. The campaign, which was reported to the FBI by PhishLabs back in late 2017, has been dubbed the Silent Librarian.

Screen Shot 2018-03-28 at 18.52.28

The most notable thing about them was that they were incredibly realistic-looking. Their spelling and grammar was perfect. They were thematically relevant, naming the university in the lure.

So… What Now?

So what actions can you take to mitigate the threat of phishing? The first thought you might have is to invest in technical security controls; however, sadly that just won’t cut it.

Spam and content filters, firewalls, and other technologies that rely on blocking incoming attacks will never provide complete defense against phishing attacks. Why? Because these technologies rely on a constantly updated set of rules, meaning malicious content will only be blocked if it contains an indicator such as an IP address, hash, or language pattern which has previously been identified as malicious. And regardless of the technology available, humans will continue to be the weakest link.

Unfortunately, spear phishing attacks are highly likely to evade these types of controls for a variety of reasons:

  1. By definition they are custom-written for each campaign, making them unlikely to be flagged as containing suspicious content
  2. New phishing sites are often setup for each campaign, so the URLs and IP addresses used won’t yet be known as malicious
  3. Credential theft campaigns rarely utilize malware, so in most cases there is no malicious hash present to identify

All of this adds up to one certainty: Your users will be targeted by phishing attacks, and some of those attacks, the most dangerous ones, will reach their inboxes. And since we have compelling evidence that universities are being targeted by foreign state actors, you need to start taking action right away.

Two Steps You Can Take Now to Mitigate the Threat of Spear Phishing

In order to truly tackle the threat of spear phishing (or any phishing, for that matter) a dedicated, consistent training program is essential. We’ve written about how exactly you can do this a bunch of times, so check out this post for an introduction.

At the same time, though, there are some things you can do right now to mitigate the threat of spear phishing attacks:

1) Issue guidance to faculty and students

Most people don’t think about phishing on a daily basis, and have very little chance of identifying a sophisticated spear phishing attack based exclusively on its content. Thankfully, though, there is one other way to spot malicious emails designed to steal credentials: Links.

Credential theft campaigns rely on victims following embedded links, which take them to convincing copies of the legitimate login pages they are expecting. To combat this, advise all faculty and students to manually type in website URLs instead of following links in emails. That way, instead of being directed to a phishing site, they’ll safely navigate to secure, legitimate sites.

2) Request that suspicious emails be reported to your security team

Again, we’ve written about this dozens of times; reported phishing emails are a thousand times better than deleted phishing emails. It’s advised that you set up a phishing-specific inbox, and ask faculty members and students to forward any emails they receive that seem suspicious, or which ask them to follow embedded links to enter their login credentials. These reported emails can serve as an early warning mechanism, enabling you to get ahead of an incoming attack before it gets out of hand. 

To find out more about the Silent Librarian attacks, check out our in-depth post from earlier in the week. Alternatively, if you’d like to know more about how you can mitigate the threat of phishing to your organization, register for our on-demand webinar: The Rise of Spear Phishing & How to Avoid Being the Next Headline.

*** This is a Security Bloggers Network syndicated blog from The PhishLabs Blog authored by Crane Hassold, Senior Security Threat Researcher. Read the original post at: