Hazy Hawk Campaign Hijacks Subdomains at 34 US Universities

Severity: High (Score: 66.0)

Sources: www.sh.consulting, Edscoop

Summary

In early April 2026, a coordinated subdomain takeover campaign was discovered, affecting 34 major US universities, including MIT, Harvard, and Stanford. The attackers, identified as Hazy Hawk, exploited abandoned CNAME records to hijack subdomains and serve explicit pornographic spam that was indexed by Google. The attack method involves registering accounts on external platforms that match orphaned subdomains, allowing full control over the content served. This incident highlights a significant security gap in university IT practices, as many institutions fail to maintain a comprehensive inventory of their DNS records. The campaign's impact is extensive, potentially affecting many more universities given the number of abandoned subdomains across the .edu domain space. The Department of Defense Education Activity was also flagged as having a vulnerable domain. The situation remains critical as affected institutions work to regain control of their subdomains. Key Points: • 34 major US universities had subdomains hijacked by the Hazy Hawk threat actor. • Attackers served explicit content through abandoned CNAME records, indexed by Google. • The incident reveals significant vulnerabilities in university IT management practices.

Key Entities

• Hazy Hawk (apt_group)
• Subdomain Takeover (attack_type)
• Antioch University (company)
• Atlantis University (company)
• Auburn University (company)
• Ball State University (company)
• Cal Poly (company)
• wp.wpenginepowered.com (domain)
• Government (industry)
• T1136 - Create Account (mitre_attack)
• GitHub Pages (tool)
• WordPress (platform)
• WP Engine (platform)