Cyber Incident Victim: University of California, Los Angeles

A significant cyber incident involved the hijacking of legitimate email accounts from multiple universities, including Purdue University, University of Oxford, and Stanford University. The compromised accounts were used to send phishing emails that bypassed security measures, such as Sender Policy Framework (SPF) filtering. This type of filtering is designed to prevent sender address forgery, but in this case, the attackers were able to exploit the fact that the commercial organization of the victim had a policy accepting email from the compromised university servers.

The phishing emails were highly sophisticated and appeared to come from legitimate university accounts. In one instance, a phishing email was sent from a Stanford University account purporting to be a Microsoft "system message," which informed the recipient about the status of some quarantined messages. The email offered various links to view the quarantined messages, which, once clicked on, led to a Microsoft Outlook credential-harvesting site or initiated a malicious code infection. The attackers were able to make the email appear even more authentic by including the legitimate university account holder's name and email address in the "From" field.

The attackers also exploited poorly managed passwords to gain access to the university email accounts. It is likely that the victims fell for a credential-harvesting scheme, such as a phishing email or a malicious link, which allowed the attackers to obtain their login credentials. Once the attackers had access to the accounts, they changed the passwords themselves, locking out the original owners. This type of attack highlights the importance of using strong, unique passwords and enabling two-factor authentication to prevent unauthorized access to sensitive accounts.

In addition to exploiting poorly managed passwords, the attackers also took advantage of improperly configured email servers. In the case of Oxford University, the attackers found an improperly configured Simple Mail Transfer Protocol (SMTP) server, which allowed them to automatically generate email addresses from which phishing emails were sent. The attackers were able to use these email addresses to send phishing emails that passed both SPF and Domain-based Message Authentication, Reporting, and Conformance (DMARC) checks, making them appear even more legitimate to the recipients.

The phishing emails sent by the attackers were highly targeted and used various lures to trick victims into handing over their email credentials or installing malware. For example, some emails claimed that the recipient had a missed call and linked to an attachment that purported to be the voicemail. These types of lures are designed to create a sense of urgency and prompt the recipient into taking action without thinking twice.

The incident highlights the importance of having robust security measures in place to prevent phishing attacks. This includes implementing SPF and DMARC checks, as well as using machine learning algorithms to detect and block suspicious emails. Additionally, users should be educated on how to identify and report phishing emails, and should be encouraged to use strong, unique passwords and enable two-factor authentication to prevent unauthorized access to sensitive accounts.

The attackers behind the incident are believed to be motivated by personal gain. The fact that they were able to hijack multiple university email accounts and use them to send phishing emails suggests that they have a high level of sophistication and are well-resourced. The attackers' use of various lures and tactics to trick victims into handing over their email credentials or installing malware also suggests that they are highly motivated and determined to achieve their goals.

The incident also highlights the importance of collaboration and information-sharing between organizations to prevent cyber attacks. By sharing information about the tactics and techniques used by the attackers, organizations can better defend themselves against similar attacks in the future. Additionally, collaboration between organizations can help to identify and disrupt the attackers' infrastructure, making it more difficult for them to carry out future attacks.

The attackers behind the incident have been linked to a threat group known as TA407, also known as Cobalt Dickens. This group is believed to be based in Iran and has been involved in a number of high-profile cyber attacks in the past. The group's use of sophisticated tactics and techniques to hijack university email accounts and send phishing emails suggests that they are a highly capable and well-resourced threat actor.

The incident has significant implications for the higher education sector, which is often a target for cyber attacks due to the sensitive information it holds. The fact that the attackers were able to hijack multiple university email accounts and use them to send phishing emails suggests that the sector needs to do more to protect itself against cyber threats. This includes implementing robust security measures, educating users on how to identify and report phishing emails, and collaborating with other organizations to share information and best practices.

Overall, the incident highlights the importance of robust security measures and collaboration between organizations to prevent cyber attacks. The fact that the attackers were able to hijack multiple university email accounts and use them to send phishing emails suggests that the threat landscape is becoming increasingly sophisticated and that organizations need to be vigilant in order to protect themselves against cyber threats.