As a cybersecurity professor, I follow a lot of breach stories, but few hit quite as close to home for me as the indictment that the Department of Justice announced Friday charging nine Iranians with compromising thousands of computer accounts belonging to university professors. According to the indictment, the nine people charged—with conspiracy to commit computer intrusions, wire fraud, unauthorized access of computers, and other crimes—are affiliated with a company called the Mabna Institute, which “conducted massive, coordinated cyber intrusions” into the computer systems of 144 U.S. universities and another 176 foreign universities. Though the Mabna Institute is, ostensibly, a private company, the indictment alleges that it was directed to conduct these espionage efforts by the Iranian government, specifically the intelligence-gathering Islamic Revolutionary Guard Corps.
Filing indictments against overseas hackers who work for foreign governments is nothing new for the U.S. government. In 2014, the DOJ brought charges against Chinese government employees for conducting cyberespionage, and just last month charges were announced against 13 Russians who allegedly helped interfere in the 2016 U.S. elections. What makes the Iranian indictment different is that the hacking being alleged centers almost entirely on university targets. (The Iranian indictment also says five U.S. government agencies and 36 private sector companies were compromised by the Mabna cohort, but the main focus seems to be on the much larger number of academic institutions targeted.)
Foreign governments’ interest in university networks is a little surprising to those of us who work in academia. But the ease with which they access that information is all too expected. Unlike most private companies and some government agencies, universities do not typically design their computer systems to prioritize secrecy or security from the outside world. On the contrary, universities are intended to welcome and enable frequent collaboration, regular visitors, and informal international partnerships and communication. The idea that you would want to lock down a university network—much less the research being done on a university campus—so that it would be inaccessible to anyone who doesn’t work there is, in some sense, very much at odds with the entire ethos of higher education and academic research.
But reading through the charges laid out in the indictment, it’s clear that universities still have a ways to go in striking the right balance between being places of open collaboration and also maintaining a reasonably competent security posture. The nine Iranians charged by the DOJ allegedly sent targeted spear-phishing emails to some 100,000 university professors worldwide and succeeded in compromising the accounts of at least 7,998 of them. Of those, 3,768 were based in the U.S.
My parents—both academics themselves—would be quick to point out that there is nothing of any conceivable interest or value to anyone in their email inboxes, so it’s worth considering what the hackers actually did with the thousands of login credentials they stole. According to the indictment, they aggressively searched for and exfiltrated “academic data and intellectual property” totaling some 31.5 terabytes. This data included, among other things, “academic journals, theses, dissertations and electronic books.” And according to the DOJ estimate, that stolen data “cost the affected United States-based universities at least approximately $3.4 billion dollars to procure and access.” Without wanting to downplay the intrusions, I would strongly urge you to disregard that number as entirely meaningless. I can only guess it’s a rough summation of every database subscription fee, research grant, graduate student scholarship, and salary payment that went into each stolen paper or project. To treat it as a meaningful estimate of the economic harm or losses imposed by these incidents would be absurd.
How exactly all of this illicit access to academic journals and theses ties back to the Iranian government is a little hazy. The indictment alleges that “the stolen data, as well as access to compromised university accounts, was used to benefit the IRGC and other Iranian customers, including Iran-based universities.” But the only concrete examples the DOJ offers of what was done with the stolen data are its resale through two websites, Megapaper.ir and Gigapaper.ir. The former site “sold stolen academic resources to customers within Iran” while the latter “sold a service to customers within Iran whereby purchasing customers could use compromised university professor accounts to directly access the online library systems of particular United States-based and foreign universities.” Of course, it’s entirely possible there were also more serious consequences of this stolen research related to information about national security, say, or design of new weapons—but that’s purely speculation at this point. The only clue the indictment offers about the content of the stolen data is that it spanned “all fields of research and academic disciplines, including science and technology, engineering, social sciences, medical and other professional fields.”
Undoubtedly, when thousands of university professors are falling for spear-phishing emails and entering their credentials to fake login websites, we need to do a better job at thinking through the appropriate types of computer security for academic campuses. But some small part of me is a little bit touched by the idea that at the center of these “massive, coordinated cyber intrusions” were a lot of Iranian academics who wanted to be able to access online library databases. Sure, we need to do a better job defending university computer systems—but we also, perhaps, need to do a better job of making finished research more widely and affordably available abroad so that people outside our universities don’t feel the need to resort to such extreme and reprehensible tactics in order to access it.