20 Universities targeted by “Shadow Academy” hackers

Hackers identified after the discovery of a fake Louisiana State University student portal

man reading computer code

Louisiana State University (LSU) and 19 other universities worldwide have fallen victim to a spate of phishing campaigns that could be related to attacks carried out by an Iranian-based company on U.S. agencies, universities, and businesses.

According to a report by cybersecurity firm RiskIQ, the attacks took place between July and October this year and uncovered 20 unique targets in Australia, Afghanistan, the UK, and the US.  The attacks “used similar tactics, techniques, and procedures (TTPs) as Mabna Institute,” an Iranian company the FBI says was created for illegally gaining access "to non-Iranian scientific resources through computer intrusions." 

Mabna, also known as "Silent Librarian,” tried to compromise university students and faculty and harvest credentials by impersonating university library resources via domain shadowing.  However, RiskIQ did not find enough evidence to link the campaigns to Mabna, so it decided to name hackers identified during this research as "Shadow Academy."

The first target identified from RiskIQ crawl data was an LSU-themed student portal login page. According to researchers, it became clear that threat actors were leveraging domain shadowing, the same technique Silent Librarian used.

In addition to LSU, the attacks targeted 14 other US educational institutions. These include University of Arizona, Southeastern Louisiana University, University of Massachusetts Amherst, Manhattan College, Rochester Institute of Technology, Bowling Green State University, Wright State University, Texas State University, University of North Texas, Abilene Christian University, The Evergreen State College, Western Washington University and the University of Washington.

Of the universities targeted, 37% saw phishing campaigns impersonating libraries, 63% saw campaigns dressed up as student portals, and 11% were financial aid-themed attacks.

The attacks initially focused on stealing domain account credentials. They then register unauthorized subdomains to point traffic to malicious servers or, in this case, create phishing pages.

“These subdomains are challenging to detect because they are associated with well-known domains, often don't follow any discernible pattern, and don't affect the parent domain or anything hosted on that domain,” said researchers.

Researchers suggested the hackers timed the development of malicious infrastructure to take advantage of the first few days of class, which can be a chaotic time that overwhelms IT staff. 

“However, having access to the infrastructure that comprises the web helps analysts note similarities between threat campaigns are observable behavior by threat actors to track them to identify and investigate threats during heightened periods of attacker activity,” researchers said.

Featured Resources

Managing security risk and compliance in a challenging landscape

How key technology partners grow with your organisation

Download now

Evaluate your order-to-cash process

15 recommended metrics to benchmark your O2C operations

Download now

AI 360: Hold, fold, or double down?

How AI can benefit your business

Download now

Getting started with Azure Red Hat OpenShift

A developer’s guide to improving application building and deployment capabilities

Download now

Recommended

SolarWinds hackers hit Malwarebytes through Microsoft exploit
hacking

SolarWinds hackers hit Malwarebytes through Microsoft exploit

20 Jan 2021
FBI warns of ongoing corporate vishing attacks
phishing

FBI warns of ongoing corporate vishing attacks

19 Jan 2021
How LogPoint uses MITRE ATT&CK
Whitepaper

How LogPoint uses MITRE ATT&CK

15 Jan 2021
Hackers using COVID vaccine as a lure to spread malware
hacking

Hackers using COVID vaccine as a lure to spread malware

15 Jan 2021

Most Popular

IT retailer faces €10.4m GDPR fine for employee surveillance
General Data Protection Regulation (GDPR)

IT retailer faces €10.4m GDPR fine for employee surveillance

18 Jan 2021
Citrix buys Slack competitor Wrike in record $2.25bn deal
collaboration

Citrix buys Slack competitor Wrike in record $2.25bn deal

19 Jan 2021
Should IT departments call time on WhatsApp?
communications

Should IT departments call time on WhatsApp?

15 Jan 2021