Why Iran-based hackers stealing university research data?

University data breach
University data breach Reuters and Facebook

The Iranian hacking syndicate has emerged as the latest cyber group, which has allegedly stolen more than 31 terabytes of academic data violating the intellectual property rights of several academic institutions across the world, including Singapore's top institutions. They had reportedly targeted over 120,000 University email accounts.

Singapore's Nanyang Technological University (NTU), National University of Singapore (NUS), Singapore University of Technology and Design and Singapore Management University are among the institutions, attacked by Iran-based hackers.

These universities informed the Cyber Security Agency (CSA) and Ministry of Education (MOE) on April 3 about the data breach, as they found that 52 staff accounts were hacked by an anonymous group.

Adam McNeil, a senior malware intelligence analyst of Malwarebytes in an exclusive interview with IBTimes Singapore said that the hacking group targeted not only Singapore but also US, UK, Germany, Canada, Israel, Japan, South Korea, and other countries. McNeil said that the hacking group has succeeded to steal over 8,000 records within 320 Universities.

McNeil referred to FBI Deputy Director David Bowdich's remarks that the hacking bid "indicated that Iranian national compromised accounts belonging to a US media and entertainment company and then engaged in attempts to extort $6 billion from the victim."

When the analyst was asked about the use of the stolen data, he quoted the US Justice Department's allegation that "the stolen information can be used to give industries a competitive advantage and also sold for profit. The stolen information was estimated to have cost approximately $4.2 billion dollars to produce and estimated to exceed 31 terabytes in size."

The US Justice Department has identified nine hackers so far and they are: Gholamreza Rafatnejad, Ehsan Mohammadi, Abdollah Karima aka Vahid Karima, Mostafa Sadeghi, Seyed Ali Mirkarimi, Mohammed Reza Sabahi, Roozbeh Sabahi, Abuzar Gohari Moqadam and Sajjad Tahmasebi.

These hackers "were working as leaders, contractors, associates, hackers-for-hire, and affiliates of the Mabna Institute – an Iran based company that was responsible for a coordinated campaign targeting 144 US-based universities, 176 universities across 21 foreign countries, 47 domestic and foreign private sector companies, US Department of Labor, Federal Energy Regulatory Commission, the State of Hawaii, the State of Indiana, the United Nations, and the United Nations Children's Fund," said McNeil.

US Deputy Attorney General Rod Rosenstein has described these defendants as "fugitives from justice. There are more than 100 countries where they may face arrest and extradition to the United States," said McNeil.

He said the officials from the US Justice Department believe that the purpose of the attack was to acquire "scientific research from all fields, including science and technology, engineering, social science, medical."

He noted further that the US indictment alleges that the hackers have targeted private sector organizations, including law firms, technology companies, consulting companies, financial services firms, healthcare companies, biotech companies, and others. They have gained access via compromised credentials, entire email inboxes were stolen, and accounts were set up to forward new mail received, he explained.

In addition, Malwarebytes' analyst said that while keeping the fresh accusations in mind, the hackers might have also targeted government and non-governmental organizations, including US Department of Labour, Federal Energy Regulatory Commission (FERC) and the United Nations. Especially, FERC could have been targeted because it regulates the interstate transmission of electricity, natural gas, and oil, and it might have some of the country's most sensitive oil infrastructure details since Iran itself is an oil -producing country.

On their modus operandi, McNeil said the hacking attempt might have originated from malicious email campaigns. This can be averted by the users if they avoid clicking on the links, received from unknown individuals "in email and be wary of downloads from less reputable sources."

FBI has also asked the public to use a strong password and opt for multi-factor identifications to avoid such cyber-attacks.

This article was first published on April 6, 2018