Iranian Targeting Hacking of U.S. Professors – 144 U.S. Universities, 3,768 Professors and Estimated Worldwide Theft of 31.5 Terabytes of Data, IP Valued at Over $3 Billion – New Government Regulations Around Confidential Unclassified Information (CUI)
The DoJ charged nine Iranians on Friday, March 23rd with conducing massive cyber theft into computer systems belonging to 144 US universities, 176 university’s across 21 foreign countries, 47 domestic and foreign private sector companies, HI and IN state governments, U.S. Federal Energy Regulatory Commission, U.S. Department of Labor and the United Nations and others. For the DoJ press release: https://www.justice.gov/opa/pr/nine-iranians-charged-conducting-massive-cyber-theft-campaign-behalf-islamic-revolutionary.
The indicted Iranians ran the “University Hacking” part of the conspiracy and scheme as follows (from the DoJ indictment):
- Conducting online reconnaissance of university professors
- Sending targeted emails to individual professors that appeared to be sent by a professor from another university. The emails said that “sending professor” had just read a paper or article by the targeted professor and included links to related articles.
- If the targeted professor clicked on a link they were redirected to a fraudulent webpage that looked like the sign-in page of the targeted professor’s university
- Recording the targeted professor’s userid and password if they thought they had been logged out from their university and then relogged in on the fraudulent website
- Using the targeted professors credentials to exfiltrate academic research and other academic documents
- Transferring the research and documents to the Islamic Revolution Guard Corps (IRGC) and selling on two Iranian websites, Megapaper.ir and Gigapaper.ir.
The nine Iranians were charged with conspiracy to commit computer intrusion, conspiracy to commit wire fraud, wire fraud, computer fraud and identity theft. In advance of these indictments and because of risk of cyber theft, the US government has developed and implemented regulations around the safeguarding of controlled unclassified information (CUI). Initially defined in Executive Order 13556 in November 2010, the DoD on January 1st, 2018 adopted their final CUI regulation. This regulation applies to Mason and universities as they are conducting research on behalf of the U.S. government on government grants.
Complying with CUI regulations requires close collaboration and coordination amongst various Mason administration offices, academic units and faculty. The Office of Sponsored Programs will review grants, contracts, and data use agreements to determine the need for CUI requirements and will inform the PI, the ITS security office, and Office of Research Development, Integrity and Assurance office.
General information about the federal program is here: https://www.archives.gov/cui/about. Please review with CUI registry with your research interests in mind at: https://www.archives.gov/cui/registry/category-list.
For more information, please review the Dear Colleague letter from Deborah Crawford about what Mason’s new rules and regulations are for increased precautions and the Researcher Responsibilities at: http://oria.gmu.edu/controlled-unclassified-information.
Trackback from your site.