# Iranian Hackers Charged in March Are Still Actively Phishing Universities **[bleepingcomputer.com/news/security/iranian-hackers-charged-in-march-are-still-actively-phishing-universities/](https://www.bleepingcomputer.com/news/security/iranian-hackers-charged-in-march-are-still-actively-phishing-universities/)** Catalin Cimpanu By [Catalin Cimpanu](https://www.bleepingcomputer.com/author/catalin-cimpanu/) August 24, 2018 09:00 AM 1 An Iranian hacking group has continued its phishing operations undeterred by indictments from the US Department of Justice. The group's name is Cobalt Dickens or Silent Librarian. In March 2018, the US DOJ charged nine hackers it believed were behind the group's activity. DOJ officials said the suspects were "hackers-for-hire or affiliates of the Mabna Institute, an Iran-based company that, since at least 2013, conducted a coordinated campaign of cyber intrusions," at the behest of Iran's Islamic Revolutionary Guard Corps (IRGC), one of the country's intelligence agencies. The nine were charged with carrying out cyber-attacks against 144 US universities and 176 universities in 21 foreign countries, but also attacks against 47 US and foreign companies active in various private sectors. According to court documents, the group primarily targeted universities. A PhishLabs report [described the group's modus operandi. Their favorite tactic, albeit not the only one, was to](https://www.bleepingcomputer.com/news/security/iranian-hackers-charged-last-week-were-actually-pretty-damn-good-phishers/) use phishing pages for a university's online library portal. ----- Hackers used the collected logins to steal intellectual property from the university s library, which they later resold online on various portals, such as Megapaper.ir (Megapaper) and Gigapaper.ir (Gigapaper), two websites operated by a company controlled by one of the nine suspects. ## New Cobalt Dickens campaign discovered But according to a report shared with Bleeping Computer in advance, US cyber-security firm Secureworks says it detected new phishing attacks carried out by the same Cobalt Dickens group. Secureworks researchers say they initially discovered one URL spoofing a login page for a university but after further investigations, they uncovered a broader campaign aimed at multiple targets. "Sixteen domains contained over 300 spoofed websites and login pages for 76 universities located in 14 countries, including Australia, Canada, China, Israel, Japan, Switzerland, Turkey, the United Kingdom, and the United States," revealed Secureworks experts. They also say the domains were registered between May and August 2018, a clear indicator that the indictment hasn't phased the group's members or forced them underground, as most hackers tend to do after being publicly ousted. After getting run off of [@Namecheap,](https://twitter.com/Namecheap?ref_src=twsrc%5Etfw) [#SilentLibrarian actors are now using straight-](https://twitter.com/hashtag/SilentLibrarian?src=hash&ref_src=twsrc%5Etfw) up Iranian-hosted websites for their phishing sites. The group recently switched over [to the domain UNTC[.]IR. Today's targets: @LancasterUni](https://twitter.com/LancasterUni?ref_src=twsrc%5Etfw) [@ucl](https://twitter.com/ucl?ref_src=twsrc%5Etfw) [@Stockholm_Uni](https://twitter.com/Stockholm_Uni?ref_src=twsrc%5Etfw) Really covert guys! [— Crane Hassold (@CraneHassold) August 24, 2018](https://twitter.com/CraneHassold/status/1033000199726088193?ref_src=twsrc%5Etfw) [These guys are busy today! Another #SilentLibrarian actor has just activated](https://twitter.com/hashtag/SilentLibrarian?src=hash&ref_src=twsrc%5Etfw) [#phishing sites targeting @NCState and](https://twitter.com/hashtag/phishing?src=hash&ref_src=twsrc%5Etfw) [@tcddublin on the domain LLLF[.]NL hosted](https://twitter.com/tcddublin?ref_src=twsrc%5Etfw) [on Freenom (@dottk).](https://twitter.com/dottk?ref_src=twsrc%5Etfw) [pic.twitter.com/tGwJ3XKkhb](https://t.co/tGwJ3XKkhb) [— Crane Hassold (@CraneHassold) August 24, 2018](https://twitter.com/CraneHassold/status/1033060537804804098?ref_src=twsrc%5Etfw) ### Related Articles: [Cyberspies use IP cameras to deploy backdoors, steal Exchange emails](https://www.bleepingcomputer.com/news/security/cyberspies-use-ip-cameras-to-deploy-backdoors-steal-exchange-emails/) [Austin Peay State University resumes after ransomware cyber attack](https://www.bleepingcomputer.com/news/security/austin-peay-state-university-resumes-after-ransomware-cyber-attack/) [Phishing campaign targets Russian govt dissidents with Cobalt Strike](https://www.bleepingcomputer.com/news/security/phishing-campaign-targets-russian-govt-dissidents-with-cobalt-strike/) [FBI warns of hackers selling credentials for U.S. college networks](https://www.bleepingcomputer.com/news/security/fbi-warns-of-hackers-selling-credentials-for-us-college-networks/) ----- [Intuit warns of QuickBooks phishing threatening to suspend accounts](https://www.bleepingcomputer.com/news/security/intuit-warns-of-quickbooks-phishing-threatening-to-suspend-accounts/) [APT](https://www.bleepingcomputer.com/tag/apt/) [Cyber-espionage](https://www.bleepingcomputer.com/tag/cyber-espionage/) [Education](https://www.bleepingcomputer.com/tag/education/) [Iran](https://www.bleepingcomputer.com/tag/iran/) [Phishing](https://www.bleepingcomputer.com/tag/phishing/) [University](https://www.bleepingcomputer.com/tag/university/) [Catalin Cimpanu](https://www.bleepingcomputer.com/author/catalin-cimpanu/) Catalin Cimpanu is the Security News Editor for Bleeping Computer, where he covers topics such as malware, breaches, vulnerabilities, exploits, hacking news, the Dark Web, and a few more. Catalin previously covered Web & Security news for Softpedia between May 2015 and October 2016. The easiest way to reach Catalin is via his XMPP/Jabber address at campuscodi@xmpp.is. For other contact methods, please visit Catalin's author page. [Previous Article](https://www.bleepingcomputer.com/offer/deals/get-90-percent-off-the-google-cloud-mastery-bundle-deal/) [Next Article](https://www.bleepingcomputer.com/news/google/bitdefender-disables-anti-exploit-monitoring-in-chrome-after-google-policy-change/) ### Comments [Warthog-Fan - 3 years ago](https://www.bleepingcomputer.com/forums/u/839020/warthog-fan/) Why shouldn't these hackers keep up their phishing activity? It's not like they are going to get extradited to the U.S. to face criminal charges. Post a Comment [Community Rules](https://www.bleepingcomputer.com/posting-guidelines/) You need to login in order to post a comment [Not a member yet? Register Now](https://www.bleepingcomputer.com/forums/index.php?app=core&module=global§ion=register) ### You may also like: -----