52 staff accounts at four Singapore universities breached by Iranian hackers

There was a breach of 52 staff accounts across (clockwise from top left) Nanyang Technological University (NTU), National University of Singapore (NUS), Singapore Management University (SMU) and Singapore University of Technology and Design (SUTD).
There was a breach of 52 staff accounts across (clockwise from top left) Nanyang Technological University (NTU), National University of Singapore (NUS), Singapore Management University (SMU) and Singapore University of Technology and Design (SUTD).PHOTOS: ST FILE

SINGAPORE - Four Singapore universities have come under attack from an Iranian hacking syndicate which is believed to have pilfered more than 31 terabytes of academic data and intellectual property from varsities all over the world.

There was a breach of 52 staff accounts across Nanyang Technological University (NTU), National University of Singapore (NUS), Singapore Management University (SMU) and Singapore University of Technology and Design (SUTD), said the Cyber Security Agency (CSA) of Singapore and Ministry of Education (MOE) in a joint statement on Tuesday (April 3).

The nine Iranians allegedly responsible for the attacks have been charged in the United States for attempting to hack into 144 US and 176 foreign universities across 21 countries- including those in Singapore - on behest of the Iranian government, the US Department of Justice said in a statement on March 23.

The CSA said it received information about the breach in the user accounts of the Singapore universities last week, and alerted the MOE and the affected institutions to run checks on their networks.

"The universities have stepped up their vigilance and users have been advised to change their passwords immediately," said the agencies in response to queries from The Straits Times.

The CSA statement also said that the incident did not appear linked to the 2017 cyber attack on NUS and NTU networks and "at this time" there was no evidence that sensitive information had been breached.

Based on investigations, the incident was a phishing attack where staff members were directed to a credential harvesting website to key in their login details. The credentials were then used to gain unauthorised access to the institutes' library websites to obtain research articles published by staff members, said the agencies.

Among the user accounts affected were those of faculty members. The four universities said that measures such as resetting of passwords and scanning of affected users' computers were carried out following the alert from CSA and MOE.

Internal investigations are also ongoing as the institutes continue to work with authorities on the matter.

According to US court documents, the nine Iranians believed to be responsible for the hacking are Gholamreza Rafatnejad, 38; Ehsan Mohammadi, 37; Abdollah Karima, also known as Vahid Karima, 39; Mostafa Sadeghi, 28; Seyed Ali Mirkarimi, 34; Mohammed Reza Sabahi, 26; Roozbeh Sabahi, 24; Abuzar Gohari Moqadam, 37; and Sajjad Tahmasebi, 30.

Charges against the group, which were made public on March 23, include several counts of identity theft, fraud and conspiracy to commit computer intrusions.

 
 

The group is also accused of being linked to the Mabna Institute, an Iran-based company, which has conducted a coordinated campaign of cyber intrusions into computer systems since 2013, the US Department of Justice said in a statement.

Research and data across all fields of research and academic disciplines, like science and technology, engineering, medical and social sciences were targeted in what US court papers termed the "University Hacking Campaign".

The campaign, which took place from 2013 to 2017, targeted over 100,000 accounts of professors worldwide and approximately half of those targetted were at United States-based universities.

About 8,000 professor accounts worldwide were compromised, of which about 3,768 belonged to academics from US-based universities, said the court papers.

The data and compromised account details were allegedly used to benefit the Iranian government, specifically the Islamic Revolutionary Guard Corps (IRGC), and other Iranian customers, including Iran-based universities, the US Justice Department said.

The identities of the hackers involved in the previous attacks on NUS and NTU in April 2017 have not been revealed but they were believed to have infiltrated the networks of the two institutions to steal government-related information. The universities are involved in government-linked projects for the defence, foreign affairs and transport sectors.

Earlier in 2017, in another cyber attack, the personal data of 850 national servicemen and Ministry of Defence staff were stolen.