Iranian flag

An Iranian hacking group has continued its phishing operations undeterred by indictments from the US Department of Justice.

The group's name is Cobalt Dickens or Silent Librarian. In March 2018, the US DOJ charged nine hackers it believed were behind the group's activity.

DOJ officials said the suspects were "hackers-for-hire or affiliates of the Mabna Institute, an Iran-based company that, since at least 2013, conducted a coordinated campaign of cyber intrusions," at the behest of Iran's Islamic Revolutionary Guard Corps (IRGC), one of the country's intelligence agencies.

The nine were charged with carrying out cyber-attacks against 144 US universities and 176 universities in 21 foreign countries, but also attacks against 47 US and foreign companies active in various private sectors.

According to court documents, the group primarily targeted universities. A PhishLabs report described the group's modus operandi. Their favorite tactic, albeit not the only one, was to use phishing pages for a university's online library portal.

Hackers used the collected logins to steal intellectual property from the university's library, which they later resold online on various portals, such as (Megapaper) and (Gigapaper), two websites operated by a company controlled by one of the nine suspects.

New Cobalt Dickens campaign discovered

But according to a report shared with Bleeping Computer in advance, US cyber-security firm Secureworks says it detected new phishing attacks carried out by the same Cobalt Dickens group.

Secureworks researchers say they initially discovered one URL spoofing a login page for a university but after further investigations, they uncovered a broader campaign aimed at multiple targets.

"Sixteen domains contained over 300 spoofed websites and login pages for 76 universities located in 14 countries, including Australia, Canada, China, Israel, Japan, Switzerland, Turkey, the United Kingdom, and the United States," revealed Secureworks experts.

They also say the domains were registered between May and August 2018, a clear indicator that the indictment hasn't phased the group's members or forced them underground, as most hackers tend to do after being publicly ousted.

Related Articles:

APT28 Uses LoJax, First UEFI Rootkit Seen in the Wild

Phishing Report Shows Microsoft, Paypal, & Netflix as Top Targets

Fraudster Targets Cryptocurrency Wallets with a Variety of Info Stealers

Largest Cyber Attack Against Iceland Driven by Complex Phishing Scheme

Phishing Attacks Distributed Through CloudFlare's IPFS Gateway