NOTICE: Threat Actors Targeting Researchers and Academics

There has been an increase in activity from threat actors targeting academics and researchers at universities and research organizations in Europe, the Middle East, and the United States. These threat actors are adept at social engineering tactics that lure targets into downloading malicious files or providing their credentials via a fake login screen, which allows them to gain and maintain access to the target’s device or accounts.

Academics and researchers at universities and research organizations across the globe may be targeted by highly-skilled, manipulative threat actors with evolved technical capabilities who lure them by using sophisticated phishing tactics, such as impersonating colleagues or journalists in email. They use these tactics to trick the targets into downloading malicious files, or entering credentials into fake login screens. This allows the threat actors to gain access to sensitive information stored in devices or accounts.

Recent reports from Microsoft have identified threats originating from a subset of “Mint Sandstorm,” an Iranian nation-state actor, that target researchers and academics working on Middle Eastern studies. They employ sophisticated social engineering and technical tactics to gain access to and steal sensitive information from high-profile targets by obtaining and maintaining remote access to an individual’s device/system. In other reported attacks, state-sponsored threat groups working for Russia’s intelligence services impersonate colleagues of researchers and academics, pretending to solicit feedback regarding articles as a ruse for stealing credentials and appropriating correspondence to carry out disinformation campaigns. 

There have been similar social engineering phishing attempts that target U-M researchers to try to obtain access to sensitive software.

Threat actors have utilized sophisticated social engineering strategies that make their intent difficult for targets to detect. They have:

• Impersonated high-profile individuals, such as journalists from a trusted news outlet, or fellow academics or researchers.
• Spoofed personal email accounts or utilized legitimate but compromised accounts to send emails.
• Utilized fake login screens to steal credentials.
• Built initial rapport with targets by sending emails with no malicious content to establish trust before delivering malicious files in a subsequent email.

In some cases reported by Microsoft, after making contact and getting the target to agree to review an article or document mentioned in a previous email, threat actors follow up with an email that includes a link that initiates download of malicious files allowing threat actors to take actions on a device (without being visible on the device). In some cases, the malicious file is designed to look like Windows Media Player.

• U-M Windows Administrators should review the reports and recommendations detailed in the Microsoft Threat Intelligence article from January 17, 2024, regarding threats and possible mitigations.
• U-M IT staff should share information about these threats with faculty and staff in their unit.
• U-M IT staff should share the tips in the Information for Users section below with faculty and staff in their unit, particularly information about Phishing & Scams.

For more technical information about the attacks reported by Microsoft, including file types, custom backdoors and domains utilized by threat actors, see the Microsoft Threat Intelligence article from January 17, 2024. This diagram, excerpted from the article, provides a visual description of the intrusion chain observed in these campaigns.

Threat groups working for Russian intelligence have been known to send emails impersonating colleagues of academics or researchers and they have employed a common tactic of prominently placing a blurred, attached pdf in the email which, when clicked, takes the target to a fake login screen that captures the person’s credentials.

(Image courtesy of Recorded Future News.)

ITS provides CrowdStrike Falcon to units, which should be installed on all U-M owned systems (Windows, macOS, and Linux operating systems, whether workstations or servers). Falcon administrators in ITS and in U-M units use the Falcon console to investigate and remediate issues.

Learn how to spot spoofed email addresses, suspicious content and other red flags:

• Watch for spoofed email addresses. Criminals can forge the "From" address.
  • Be suspicious if the “From” address looks like a U-M address, but the “Reply-To” address does not.
  • See How to Spot a Spoof for more information about detecting spoofed email addresses.
  • Look for possible red flags, such as misspelled words, bad grammar, and other clues.
• Beware of documents sent to you in email that you do not expect and/or that may be sent from an unverified source. 
• Look before you log in.
• Shared document emails can be traps. Malicious documents are often shared by threat actors using reputable, well-known cloud storage systems such as Google Drive, Dropbox, or Microsoft OneDrive.

Report Phishing and Suspicious Email to U-M.  Send the entire message to [email protected]. Provide full information by sending what Google calls the email original by clicking the down arrow next to the Reply arrow and select Show original.

It is best practice to keep your software and apps up-to-date and only use secure, trusted networks. For more information, see Secure Your Devices, and Secure Your Internet Connection on the U-M Safe Computing website.

Please contact ITS Information Assurance through the ITS Service Center.

• Nation-state threat actor Mint Sandstorm refines tradecraft to attack high-value targets (Microsoft)
• New TTPs observed in Mint Sandstorm campaign targeting high-profile individuals at universities and research orgs (Microsoft)
• Russian Spies Impersonating Western Researchers in Ongoing Hacking Campaign (Recorded Future News)
• Iranian Threat Group Mint Sandstorm Targets High-Profile Middle East Researchers (SC Media)