A hacking group targeted 20 universities and schools around the world earlier this year with a series of phishing attacks designed to steal credentials, according to researchers with RiskIQ.
The group, which the RiskIQ researchers call “Shadow Academy,” targeted 14 universities and schools within the U.S. between July and October, when fall semester classes were beginning, according to the report. The first university struck was the University of Louisiana, but other schools, such as Manhattan College, Rochester Institute of Technology, Bowling Green State University, University of Arizona and University of Washington, were also victimized.
Schools in the U.K., Australia and Afghanistan were also targeted, according to the report published Wednesday.
“Research suggests that Shadow Academy actors timed the development of malicious infrastructure to take advantage of back to school chaos,” according to the report.
The RiskIQ report says the hackers attempted to steal credentials, but it’s not clear how they planned to use them. Other hacking groups have targeted universities to steal data and intellectual property (see: Iranian Hacking Group Continues Targeting Universities).
Phishing Techniques
In the campaign that RiskIQ examined, the hacking group used a technique called domain shadowing to create malicious landing pages designed to harvest credentials. This involves attackers obtaining compromised administrative credentials for a victim domain and then using those credentials to create subdomains to support their malicious activities, such as phishing emails.
The malicious domains in this campaign resembled popular services, such as Netflix, Instagram, Facebook, Amazon and online banking services, according to the report.
The phishing emails used a variety of themes as lures, including messages that supposedly originated with a school’s library, student portal or financial aid department, according to the report.
The messages contained a link to one of the malicious domains created by the hackers. If the victim entered credentials into one of the spoofed domains, those were then harvested by the attackers and could have been used in other attacks or to gain access to other parts of the school’s network, the report notes.
Connections to Other Groups?
The RiskIQ report notes that some of the techniques used by Shadow Academy, especially the use of shadow domains, are similar to those of “Silent Librarian,” a hacking group that has ties to Iran’s government and targets universities in the U.S. and in other parts of the world (see: Iranian Hacking Group Again Targets Universities). But there is no definitive connection between the two groups, the researchers say.
“While RiskIQ’s findings are consistent with [tools, techniques and procedures] in use by Silent Librarian, they alone are not sufficient to attribute the threat activity,” the report notes.
Source: infoRisk Today