Iranian hackers stole academic research worth billions of dollars from hundreds of universities around the world — until a Charleston cybersecurity firm caught onto the scheme.
In the process, the company, PhishLabs, helped uncover what federal authorities are describing as "one of the largest state-sponsored hacking campaigns ever prosecuted."
PhishLabs, a startup headquartered on Charleston's upper peninsula, said Monday that it came across the Iranian hacking campaign in December. That's when it found two websites chock full of web pages mimicking universities.
Crane Hassold, the company's director of threat intelligence, found the first traces while researching cyber attacks targeting universities. It seemed like it might be part of something bigger, so he scooped up information about who started the websites and set out to find more like them.
He reached a startling conclusion: More than 300 universities around the world had been targeted over the course of nearly five years.
They included big-name research institutions, and they all focused on getting access to their library systems, apparently in hopes of finding proprietary research. None appears to have been in South Carolina, Hassold says.
"The phishing pages were all targeted specifically toward the libraries of the universities, so it was very unique and something I'd never seen before," Hassold said. "If you looked at the list of universities, it's certainly not like they were selected at random. They were selected for a reason."
The campaign was simple enough. University professors — and, PhishLabs says, some students — were sent falsified emails saying they needed to update their login information to access library materials. The United Nations, two federal agencies, two states and dozens of businesses got similar messages.
Thousands of people took the bait, mistakenly handing over their account credentials. The attackers used it to hoover up an enormous trove of costly academic research, which they resold in Iran and shared with the government. The campaign cost American universities $3.4 billion in access fees, according to indictments unsealed on Friday.
All told, the Iranians snatched 31.5 terabytes of research. To run through that much data, you'd need to watch Netflix nonstop for a year.
The Iranian campaign is a massive example of phishing, which is one of the most common types of cyber attacks. That's the practice of sending spoof emails that mimic legitimate institutions to pry personal information from unwitting users.
Spotting schemes like it is central to PhishLabs' business. The company, which has raised a total of $11 million in investments, defends clients against being spoofed and trains workers how to spot scams.
In the Iranian campaign, the company found an especially sleek — and large-scale — example, Hassold said in a blog post Monday disclosing PhishLabs' role. Hassold says he shared information with the FBI, but he's not sure whether an investigation had already been opened into the campaign, which had been running for nearly five years.
The Department of Justice didn't comment on PhishLabs' role but laid out the Iranian scheme.
The Justice Department says the campaign by was conducted by the Mabna Institute, a company founded to carry out the attack. And it says the scene was run at the behest of Iran's Revolutionary Guard, a paramilitary group that answers to the nation's supreme leader, Ali Khamenei.
Prosecutors indicted nine Iranian citizens, essentially cutting off their ability to leave the country without risking extradition. The Treasury Department, meantime, issued sanctions freezing their assets and blocking them from doing business with Americans.
"We have unmasked criminals who normally hide behind the ones and zeros of computer code," said Geoffrey Berman, U.S. Attorney for the Southern District of New York. "The only way they will see the outside world is through their computer screens, but stripped of their greatest asset — anonymity."