COBALT DICKENS

Since at least 2013, COBALT DICKENS has targeted universities, academia, and government organizations. The threat actors create lookalike domains to conduct phishing campaigns and use stolen credentials to steal intellectual property. In March 2018, the U.S. Department of Justice indicted the Mabna Institute and nine Iranian nationals in connection with activity through 2017. In August 2018, CTU researchers discovered infrastructure spoofing university resources that targeted over 150 institutions globally. As of this publication, the threat actors continue their operations. CTU researchers have identified over 250 sub-domains associated with COBALT DICKENS phishing campaigns.