March 26, 2018 | By Panagiotis Kintis
Nine Iranians were charged with hacking and stealing secrets from American government agencies, companies and universities, on Friday, March 23rd. The individuals were working for the Mabna Institute, which is based in Iran, as contractors and hackers for hire. The massive dataset collected by the hackers (31.5 terabytes in size) was sold in Iran, a transaction that the U.S. Department of Justice (DoJ) characterizes as "one of the largest state-sponsored hacking campaigns ever prosecuted by the DoJ." The attackers used well-known techniques, such as spear-phishing attacks, to acquire user credentials and infiltrate systems with the data.
IISP Analyst Panagiotis Kintis: "Social engineering attacks have been around since almost the beginning of time. Computers have made it far easier for people to communicate and, therefore, much easier for individuals to be targeted by social engineering. Phishing and spear-phishing attacks are a form of social engineering, where an individual is tricked into providing their credentials to a third party, through (usually) a fraudulent website.
This time, attackers managed to acquire credentials for almost 8,000 user accounts, from 320 universities (in 22 countries), approximately half of which (3,768) were used in the 144 American universities* that were targeted. After getting user accounts, the attackers simply started copying anything they could get their hands on.
The unfortunate event would have been prevented if users could understand the difference between a phishing and a real email. Of course, once again, this is far from the users' fault. Users are (mostly) going through security training, and phishing is one of the most important topics. However, phishing exercises prove that the users still can be tricked. Probably, the way phishing training is taking place might not provide the ideal outcome. When the user understands how important phishing is, it is too late. Training should become more engaging and speak the users' language. It is not "yet another exercise"; it is probably one of the most important exercises and that should be reflected.
Inarguably, attackers are getting smarter every day. Sometimes, it is really hard to differentiate between a normal email and a phishing one. If you don't believe me, try some phishing quizzes here and here. I will not lie; I did not get a perfect score at some of them! Phishing attacks, and especially spear-phishing ones, can be very sophisticated, thoroughly thought through, and flawlessly executed. They are the attackers' "way in" your network.
My advice would be to consider email as your front door. Would you open it to a stranger, or someone you did not expect? When in doubt, ignore the email. Someone knocking on your door will eventually call if it is important. Email is no different."
For further reading
The New York Times: https://www.nytimes.com/2018/03/23/us/politics/iranians-hacking-scheme-irgc.html
The Hacker News: https://thehackernews.com/2018/03/iranian-hackers-wanted-by-fbi.html
*The Georgia Institute of Technology is not believed to have been compromised by this hacking group.