The Mabna Institute, an Iranian firm whose members were indicted last year for cyberattacks against U.S. universities and other organizations, appears to have launched a new global phishing operation targeting the education sector last July and August.

This past’s summer campaign follows the same basic m.o. as previous attacks that the same threat group has launched, according to a blog post yesterday by the Secureworks Counter Threat Unit Research Team, which refers to the malicious actor as Cobalt Dickens (aka Silent Librarian). In an attempt to steal university employees’ credentials, the attackers sent their targets phishing emails that impersonated library services.

“Your access to your library account is expiring soon due to inactivity. To continue to have access to the library services, you must reactivate your account,” read one sample phishing email, as shown in Secureworks’ blog post.

The emails contained links to fake university login pages – actually operated by Cobalt Dickens – where victims were encouraged to enter their user names and passwords. As soon as the attackers got their hands on the credentials, users would be redirected to the actual website they thought they were visiting. According to Secureworks, the attackers were able to copy the various university login pages used a pair of publicly available tools: the SingleFile plugin and HTTrack Website Copier standalone application.

Secureworks reports that the campaign targeted more than 60 universities in the U.S., Australia, the U.K., Canada, Hong Kong and Switzerland, and involved 20 malicious domains that used valid SSL certificates from non-profit certificate authority Let’s Encrypt in order to look authentic.

In March 2018, the DOJ leveled a series of federal charges against nine members of the Mabna Institute , which officials say worked on behalf of the Islamic Revolutionary Guard Corps (IRGC) and other Iranian clients to steal email credentials, proprietary research, data and intellectual property from universities, companies, government agencies and non-governmental organizations.

At the time of the indictment’s unsealing, DOJ officials claimed that since 2013 the Mabna Institute had successfully hacked nearly 8,000 professor email accounts at 144 U.S. universities, and 176 more around the world. The firm would then allegedly sell or distribute the stolen data to Iranian universities and other clients.

“As of this publication, CTU researchers observed COBALT DICKENS targeting at least 380 universities in over 30 countries,” Secureworks states in its blog post. “Many universities have been targeted multiple times. The threat actors have not changed their operations despite law enforcement activity, multiple public disclosures and takedown activity.”

To help counter the threat of stolen credentials, Secureworks recommends that universities implement multi-factor authentication.