Iranian hackers steal academic research worth billions from US universities, private companies

Research data that cost billions of dollars to acquire were stolen from hundreds of universities, academic journals, and private companies — including a US biotech among other victims — as part of a massive breach made by Iranian hackers over the past four years.

That’s according to the US Department of Justice, which recently announced charges against nine Iranian nationals with connections to the hacking organization: the Mabna Institute.

The hacking campaign was central to a line of business at Mabna Institute, which acts as a sort of pirated JSTOR for the Iranian academic and research community. Mabna, the indictment says, “was set up in order to assist Iranian universities (and) scientific and research organizations to obtain access to non-Iranian scientific resources.”

The institute was reportedly working on behalf of the Islamic Revolutionary Guard Corps, an Iranian government intelligence and military organization.

Mabna allegedly coordinated a massive cyber intrusion of over 300 universities — 144 of them based in the US. The organization stole nearly 32 terabytes of research data and intellectual property, that “cost the affected United States-based universities at least approximately $3.4 billion dollars to procure and access,” the indictment stated.

The cyberattack also hit at least 36 private sector companies including one biotech, although no names have been released.

The hackers focused largely on targets that used cloud-based single sign-on accounts — Office 365 in particular. Phishing attacks were tailored to university professors, with emails disguised as follow-ups to papers recently published. The emails included links that appeared to be to the articles themselves but instead led to clone websites that replicated the login webpage for the targeted institution in order to steal the target’s login credentials.

Other accounts were hit with “password spraying” attacks, which throw common passwords at cloud logins. The group would use a library of the most common passwords in rapid fire against these accounts until one worked, and then it would use the credentials to raid mailboxes.

The private companies attacked included three academic publishers, 11 technology companies, one industrial machinery company, one biotech, a healthcare provider, and a collection of consulting, marketing, and financial firms.

The best place to read Endpoints News? In your inbox.

Comprehensive daily news report for those who discover, develop, and market drugs. Join 47,900+ biopharma pros who read Endpoints News by email every day.

Free Subscription

Research Scientist - Immunology
Recursion Pharmaceuticals Salt Lake City, UT
Director of Operations
Atlas Venture Cambridge, MA

Visit Endpoints Careers ->