Iranian Hackers Charged with Hacks of 144 U.S. Universities

Published with Permission by:
Lint, James R., “Iranian Hackers Charged with Hacks of 144 US Universities”, In Cyber Defense, 28 March 2018, Web,

By James Lint
Senior Editor for InCyberDefense and Contributor, In Homeland Security

Many cyber defenders watch for Chinese and Russian hackers. However, we must not forget that smaller countries are also in the cyber attack game.

The U.S. Department of Justice and the Department of the Treasury’s Office of Foreign Assets Control determined that nine Iranians hacked the computer systems of 144 American universities, ZDNet reported.

The Iranian hackers worked in cooperation with the Islamic Revolutionary Guard Corps, the Mabna Institute (an Iranian hacker network) and the Iranian government to steal 31.5 terabytes of valuable data.

“In all, 320 universities around the world were attacked along with several U.S. government entities, including the Department of Labor, [the] United Nations, and the Federal Energy Regulatory Commission,” ZDNet added.

Wide-Ranging Impact of Iranian Hackers

The “massive and brazen cyber assault” was “one of the largest state-sponsored hacking campaigns ever prosecuted by the Department of Justice,” U.S. Attorney Geoffrey Berman of the Southern District of New York told a news conference on March 23.

According to the indictment cited by, “3,768 of the hacked professors were at 144 U.S. universities, and the attackers stole data that cost these institutions about $3.4 billion to ‘procure and access.’” Data stolen by the Iranian hackers includes scientific research, dissertations and journals.

The hack was intended to help Iranian universities gain access to foreign scientific resources. The indictment notes that the stolen data will also assist scientific and research organizations in Iran.

The FBI website reported that “the hackers stole more than 30 terabytes of academic data and intellectual property—roughly three times the amount of data in the print collection of the Library of Congress.”

Iranian Hackers Used Password Spray Attacks to Penetrate Other Computer Systems

According to the FBI investigation, a group of malicious cyber actors working for the Iran-based Mabna Institute conducted coordinated and broadly targeted password spray attacks against organizations in the United States and abroad. Victims of Mabna attacks often lack multi-factor authentication (MFA) and preventative network activity alerts. The lack of security measures allowed the Iranian hackers to easily guess passwords such as “Winter2018” and “Password123!”

Unlike a brute force attack, in which a would-be penetrator will obtain a single email account’s password by trying all possible combinations in sequence, spray attacks search for accounts with the easiest passwords. This attack method does not trip safety lockouts because the hacker tries only a few simple passwords before moving on to someone else’s account.

An FBI alert offers a good description of spray attacks: “During a password spray attack, a malicious actor attempts a single password against a population of accounts before moving on to attempt a second password against the accounts, and so on.” In other words, a spray attack searches multiple accounts for simple passwords.

Defendants Cannot Leave Iran without Fear of Capture and Extradition to US

The nine defendants in the U.S. university hack scheme are believed to be in Iran. “These defendants are no longer free to travel outside of Iran without the fear of being arrested and extradited to the United States. The only way they can see the rest of the world is through their computer screen, but not stripped of their greatest asset, anonymity,” Berman said.

Tips on Improving Your Cyber Defense

  • Review password policies to ensure they align with the latest NIST guidelines. Never use easy-to-guess passwords, which is the key to defense against this type of cyber attack.
  • Review IT Helpdesk password management of initial passwords, password resets for user lockouts and shared accounts. IT Helpdesk password procedures may not align with company policy, creating a security gap that hackers can exploit.

Cyber Defenders Need to Constantly Learn about New Cyber Attack Methods

Cyber defenders should stay current about new attack methods and older techniques. By keeping your end users informed, you can prevent simple cyber attacks from happening.

In addition, cyber defenders should use government resources to keep their knowledge up to date. One key tool could be Infragard, which is run by the FBI and has chapters in all 50 states. Your local FBI Liaison can help you access the Infragard portal.

Another good resource is This site does not require a signup, but it does hold various events for cyber defenders. Its current activities and announcements show both system vulnerabilities and announcements on system threats.

Cyber defenders who stay current on various cyber threats are force multipliers for their organizations. They are much less likely to be surprised by people targeting their computer systems.

About the Author

James R. Lint recently retired as the (GG-15) civilian director for intelligence and security, G2, U.S. Army Communications Electronics Command. James has been involved in cyberespionage events from just after the turn of the century in Korea supporting 1st Signal Brigade to the DHS Office of Intelligence and Analysis as the first government cyber intelligence analyst. He has 38 years of experience in military intelligence with the U.S. Marine Corps, U.S. Army, government contracting and civil service.

Additionally, James started the Lint Center for National Security Studies, a nonprofit charity that recently awarded its 49th scholarship for national security students and professionals. James was also elected as the 2015 national vice president for the Military Intelligence Corps Association. He has also served in the Department of Energy’s S&S Security Office after his active military career in the Marine Corps for seven years and 14 years in the Army. His military assignments include South Korea, Germany and Cuba, in addition to numerous CONUS locations. In 2017, he was appointed to the position of Adjutant for The American Legion, China Post 1. James has authored a book published in 2013, “Leadership and Management Lessons Learned,” a book published in 2016 “8 Eyes on Korea, A Travel Perspective of Seoul, Korea,” and a new book in 2017 Secrets to Getting a Federal Government Job.”