Today, the Department of Justice announced charges against nine Iranian nationals connected to the Mabna Institute, a company which an FBI spokesman said was “created in 2013 for the express purpose of illegally gaining access to non-Iranian scientific resources through computer intrusions.” The stolen data was largely acquired from universities, but academic journal publishers, tech companies, other private companies, government organizations, and the United Nations were targeted as well.
The hacking campaign was central to a line of business at Mabna Institute, which acts as a sort of pirated JSTOR for the Iranian academic and research community. Mabna, the indictment claims, “was set up in order to assist Iranian universities [and] scientific and research organizations to obtain access to non-Iranian scientific resources.” In that capacity, DOJ attorneys claim, “The Mabna Institute contracted with Iranian governmental and private entities to conduct hacking activities on their behalf.”
In addition to acquiring research that the US and other countries banned access to in Iran and providing it to the Islamic Revolutionary Guard Corps, the principals of Mabna also sold both stolen research documents and access to hacked organizations’ online libraries through Megapaper.ir and Gigapaper.ir—websites controlled by Abdollah Karima, one of the principals of Mabna Institute. Over a four year period, Manba Institute is alleged to have gained access to computers at over 300 universities—roughly half of them in the United States—while gathering up a total of 31.5 terabytes of research data. Additionally, about 7,996 university accounts were compromised—about 3,768 of them at US universities.
Focusing largely on targets that used cloud-based single sign-on—and Office 365 in particular—the group raided the email accounts of victims in search of documents and access credentials, according to an FBI Flash advisory sent out today. In some cases, the targets were carefully selected for their areas of expertise and targeted with spear-phishing emails.
The spear-phishing attacks were tailored to specific university professors being targeted for their areas of research. The emails were disguised as follow-ups to papers recently published by the targets, with links that appeared to be to the articles themselves. These links were in fact to a site on “a malicious Internet domain named to appear confusingly similar to the authentic domain of the recipient professor’s university,” the indictment states. That site replicated the login Web page for the targeted institution in order to steal the target’s login credentials.
Other accounts, harvested from Internet searches or the contact lists of compromised accounts, were hit with “password spraying” attacks, throwing common passwords at cloud log-ins in an attempt to brute-force access to organizations’ networks. The group would use a library of the most common passwords against these accounts until one worked, and then it would use the credentials to raid mailboxes and continue the cycle.
In addition to the university account hacks, at least 36 US businesses had accounts compromised—as did state agencies of Hawaii and Indiana, the US Department of Labor, the Federal Energy Regulatory Commission (FERC), the United Nations, and the United Nations Children’s Fund. The companies attacked included three academic publishers, 11 technology companies, one industrial machinery company, one biotech firm, a healthcare provider, and a collection of consulting, marketing, and financial firms. A stock image company was also targeted, as were (strangely) two online car sales companies.