Iranian Hackers Allegedly Attacked 4 Singapore Universities52 Accounts Targeted in What Was Likely a Phishing Attack
Four Singapore universities were allegedly attacked by an Iranian hacking group accused of stealing more than 31 terabytes of data from universities all over the world, local officials confirmed.
Among those who were victims of the hacks were 8,000 professors at 144 U.S. universities and 176 universities elsewhere, the U.S. Justice Department said. Also targeted were 30 U.S. companies and five U.S. government agencies. (See: Britain Backs US Hacking Allegations Against Iranians)
In Singapore, a total of 52 accounts were breached at Nanyang Technological University, National University of Singapore, Singapore Management University and Singapore University of Technology and Design, according to a joint statement by the Cyber Security Agency of Singapore and Ministry of Education. Details of when the attack took place are still not known.
Nine Iranian nationals were indicted in the United States last week for these attacks, and it was in the wake of this that the Singapore compromise was revealed. According to the FBI, the hackers worked for a company called Mabna Institute, which had been set up by the Iranian government to gather intelligence including running black hat operations.
"CSA received information last week about the breach of 52 accounts in four Singapore educational institutions and promptly alerted the Ministry of Education, as well as the respective institutions to run a check on their networks," CSA tells Information Security Media Group. "Both CSA and MOE have been working closely with the institutions on investigations and have advised the institutions on incident response and the remediation measures to take."
CSA has issued advisory for the universities as well as for the users. Phishing is a prevalent cyber threat in Singapore, it notes. "Users should also refrain from providing personal information on unknown sites," CSA stresses. "If users have inadvertently provided their personal information, they should monitor their email accounts for unusual activity."
Tom Wills, director, OnTrack Advisory, a firm which provides client development, engagement advice to multinational companies, believes that the breaches were the result of a global phishing campaign.
"Phishing emails [likely] led users to a fake website that was used to gather the users' login credentials," he says.
Dharshan Shanthamurthy, CEO at SISA, a payment security company, adds: "The phishing attacks must have prompted academicians to provide their user account and password details. It looks like a targeted approach towards universities to steal academic data."
Some security experts say the university attacks may be similar to last year's attacks on National University of Singapore (NUS) and Nanyang Technological University (NTU) networks. NUS had detected an unauthorized intrusion into its IT systems through a single server, while NTU had detected a malware attack due to phishing or browsing of infected sites.
CSA Singapore, however, says the university attacks are not linked to the earlier incidents. "This incident does not appear to be linked to the 2017 APT attack on NUS and NTU. There has been no evidence of exfiltration of sensitive information at this time," the CSA spokesperson says.
"It's likely that the hackers used a similar lure to the one they've used in other attacks on academic institutions: a notice that the user's library account would soon expire and instructing the user to 'reactivate their account' by logging in at the hacker's website which looked identical to the actual library site," Wills says. "It's only a guess and confirmations are awaited".
Too prevent similar breaches, the universities should "more reliably harden their systems," Willis suggests, calling for putting in place "robust and comprehensive security programs, including both technical and human-based controls, in line with international standards such as the NIST 800 series, ISO 27000 series, and ISF Standard of good practice."