Sophisticated Iranian hack of university accounts offers lessons

by Shannon Roddel

Mike Chapple

Mike Chapple

The U.S. Justice Department on March 23 (Friday) charged nine Iranians in one of the largest state-sponsored hacks ever prosecuted — an attack to steal electronic data from universities, private corporations and U.S. government entities.

 

The hacking, which began around five years ago, does not appear to have targeted the University of Notre Dame, but pilfered academic data and intellectual property from 144 U.S. universities and 176 universities in 21 other countries. Mike Chapple, associate teaching professor of IT, analytics and operations in Notre Dame’s Mendoza College of Business, says the hacking was sophisticated, clever and carefully designed to appeal to specific professors.

 

“The attackers did their homework, researching the academic backgrounds of individual professors and sending them forged email messages designed to appear as if they were from colleagues in the same field of study at other institutions,” says Chapple, who previously served as senior director for IT service delivery in Notre Dame’s Office of Information Technologies. “If the targeted professor clicked the link, they landed at a fake webpage designed to look like their university’s login page. If they logged into the fake site, the Iranians learned their username and password and used it to gain access to the professor’s account.”

 

Chapple says the attacks were highly successful because they preyed upon the vanity of each targeted professor. He gives the following fictitious example of the types of phishing emails received by professors:

 

Dear Professor Nieuwland,

 

I read with great interest your recent paper published in the Journal of Obscure Studies. Your in-depth analysis of the protein consumption habits of male rodents on Asok Island fills a long-neglected gap in our field.

 

I thought that you might be interested in reading a study that I recently published in the Journal of Indonesian Mammals looking at a similar population on nearby Pandan Island. I will be returning there later this year to conduct a follow-up study and would be interested in collaborating on future work if you are interested.

 

Here is a link to the article: http://www.indonesianmammals.org/feb2018/pandan.html

 

I look forward to hearing from you.

 

Sincerely,

Edward Irish

Professor of Biological Sciences

Another University

 

 

“What faculty member wouldn’t be flattered to receive an email like this from a colleague clearly interested in our research and extending an offer of future collaboration?” Chapple asks. “Most of us would immediately click the link and skim the paper to get a sense of the related work. If the first thing that we saw after clicking the link was our university’s login page, we’d likely grunt in frustration, tap out our username and password, and rush to read the article.”

 

These messages, however, originated not from an interested colleague, but from the Mabna Institute, an Iranian government-linked company charged with assisting Iranian universities and scientific/research organizations in gaining access to foreign scientific information.

 

While it might seem strange that Iranian hackers were targeting academics, Chapple says, they had two main goals. 

 

“You have to remember that university research, particularly in science and engineering, is of great interest to foreign governments,” he says. “They allegedly stole the intellectual property, then resold the accounts through Iranian websites, so that individuals could gain access to the library and computing resources of major universities. 

 

“One of the main reasons these attacks were successful is that professors don’t see themselves as likely targets of attackers. We generally don’t handle very sensitive information or have access to financial resources. Our accounts do, however, unlock the doors to the tremendous technology and research capabilities of our universities.” 

 

The U.S. government alleges that Mabna stole 31.5 terabytes of “academic data and intellectual property” from victim universities. Chapple says a scientific paper loaded with figures might run about three megabytes, meaning the amount of information stolen was the size of about 10 million scientific papers.

 

The lesson, Chapple says, is that we are the targets of cyberattacks by serious and talented adversaries with the financial backing of foreign governments and need to take the security of our accounts seriously.

 

“Fortunately, there’s a simple solution to this problem that goes beyond hackneyed warnings to faculty and staff that they should be more careful and avoid responding to suspicious emails. Multifactor authentication technology stops password phishing attacks in their tracks by adding a second step to the login process. After providing a username and password, users receive a message on their phone asking them to approve the login before being granted access. This is often as simple as clicking OK, but the second or two spent completing this extra step prevents someone who stole your password, but not your phone, from accessing your account.”

 

Notre Dame has adopted this technology for all faculty, staff and students, as have many other schools, including Harvard, University of California, Berkeley and Indiana University.

 

“When schools roll out multifactor authentication, they typically see an immediate and dramatic plunge in successful account thefts to a near-zero rate,” Chapple says. “At the same time, they’re often surprised to see how quickly faculty and staff adapt to the new approach.”

 

Contact: Mike Chapple, 574-631-5863, mchapple@nd.edu