Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

Iran-Linked ‘Silent Librarian’ Back at Phishing Universities

Iran-linked state-sponsored threat actor ‘Silent Librarian’ has launched another phishing campaign targeting universities around the world.

Also tracked as TA407 and COBALT DICKENS, the adversary was previously observed launching similar attacks for two years in a row.

Iran-linked state-sponsored threat actor ‘Silent Librarian’ has launched another phishing campaign targeting universities around the world.

Also tracked as TA407 and COBALT DICKENS, the adversary was previously observed launching similar attacks for two years in a row.

In 2018, the group set up fake login pages for 76 universities. In 2019, Silent Librarian targeted more than 60 universities in Australia, Canada, Hong Kong, Switzerland, the United States, and the United Kingdom.

Observed in mid-September, the new round of attacks revealed that the threat actor is expanding its target list to include more countries. One of the victims is the Nanyang Technological University in Singapore, cybersecurity researcher Peter Kruse says.

Silent Librarian, Malwarebytes’ security researchers reveal, has sent spear-phishing emails to both staff and students at the targeted universities, and the threat actor was observed setting up new infrastructure to counter efforts to take down its domains.

“Considering that Iran is dealing with constant sanctions, it strives to keep up with world developments in various fields, including that of technology. As such, these attacks represent a national interest and are well funded,” Malwarebytes says.

Domain names used in the new attacks follow the pattern observed before, although they use a different top level domain name: the adversary switched from the “.me” TLD that was previously employed to “.tk” and “.cf” in recent attacks.

Considering Silent Librarian’s use of similar domains to target universities in the past, Malwarebytes researchers are confident the new domains were registered by the same group.

Advertisement. Scroll to continue reading.

The threat actor uses Cloudflare for hostnames, which helps them hide the real hosting origin. Despite that, however, the researchers were able to identify some of the infrastructure, which was hosted in Iran.

While the use of infrastructure located in the attacker’s own country might seem surprising, the researchers explain that it only shows that the adversary can leverage yet another bulletproof hosting option, the result of a lack of cooperation between US and European law enforcement and local police in Iran.

“Clearly we only uncovered a small portion of this phishing operation. Although for the most part the sites are taken down quickly, the attacker has the advantage of being one step ahead and is going for many possible targets at once,” Malwarebytes concludes.

Related: Iran Acknowledges Cyberattacks on Government Departments

Related: Hackers Steal Swiss University Salaries

Related: U.S. Seizes Domain Names Used by Iran for Disinformation

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Learn how the LOtL threat landscape has evolved, why traditional endpoint hardening methods fall short, and how adaptive, user-aware approaches can reduce risk.

Watch Now

Join the summit to explore critical threats to public cloud infrastructure, APIs, and identity systems through discussions, case studies, and insights into emerging technologies like AI and LLMs.

Register

People on the Move

Checkmarx has appointed Scott Gainey as Chief Marketing Officer.

Jason Hogg has been named Executive Chairman of CYPFER.

HUB Cyber Security has appointed former PayPal and American Express executive Paul Parisi as its Global Chief Revenue Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.