Louisiana State University and 19 other universities worldwide fell victim to a series of phishing campaigns that bear similarities to attacks carried out by an Iran-based company known to target U.S. agencies, universities and businesses, according to a report Wednesday published by the cybersecurity company RiskIQ
The phishing campaigns, which took place between July and October, used malicious websites designed to look like pages for libraries, student portals and financial aid to steal student credentials and university funds, the report read. The attacks targeted 14 U.S. universities, including Louisiana State University University of Arizona, Southeastern Louisiana University, University of Massachusetts Amherst, Manhattan College, Rochester Institute of Technology, Bowling Green State University, Wright State University, Texas State University, University of North Texas, Abilene Christian University, The Evergreen State College, Western Washington University and University of Washington.
RiskIQ’s researchers wrote that the phishing attempts are similar to those that have been committed in the past by a company known as Mabna Institute, which has been linked to the Iranian regime. In 2018, the Justice Department indicted hackers working for the Mabna Institute who allegedly stole data from 140 American universities.
But because Risk IQ did not find sufficient evidence to attribute the threat activity to Mabna Institute, the company has dubbed the actors identified in the campaigns as “Shadow Academy.” Still, the commonalities were clear.
“All these attacks used similar tactics, techniques, and procedures as Mabna Institute,” the report read.
Of the universities that RiskIQ sad were targeted, 37% saw phishing campaigns impersonating libraries, 63% saw campaigns dressed up as student portals and 11% were targeted with financial aid-themed attacks.
The malicious domains were primarily focused on harvesting university credentials, which can be used to steal institutional data or financial assets, according to the report. RiskIQ’s research also suggested that the hackers timed the attacks to take advantage of the start of the fall semester, which can be a chaotic time that overwhelms IT staff.
The attacks were also uniquely difficult to uncover because shadow domains are often associated with well-known, trustworthy domains, and don’t necessarily stand out as malicious activity. With a large portion of colleges and universities relying on remote work and teaching during the pandemic, university IT leaders are faced with the challenge of protecting a much larger attack surface.
“Remote schooling has expanded the security perimeter, meaning schools can no longer rely on on-site network security systems or devices like desktop computers to protect student data,” Mike Puglia, chief strategy officer at the cybersecurity company Kaseya, told EdScoop. “Today, any personal device used for learning from home offers malicious actors a new point of entry into a school’s systems, especially since many IT teams cannot actively access and monitor these personal devices.”
According to Puglia, many of cyberattacks, like the Shadow Academy phishing efforts, aim to capture credentials to gain access to school networks. “Cybercriminals have been able to take advantage of less-secure home networks and mobile devices to gain access,” he said.
RiskIQ said it will continue to conduct research into Shadow Academy’s activities and share new findings.