Who is Silent Librarian?
Silent Librarian, also known as TA407, Cobalt Dickens and Mabna Institute, is a prolific Iranian state sponsored APT group. The group has been active since 2013 and is infamous for targeting universities via spear-phishing campaigns. This APT group is a financially motivated actor who has registered phishing sites for universities throughout the world. This includes universities in the UK, US, Canada, Germany, Sweden, the Netherlands, Australia and Singapore. Over the years, Silent Librarian has stolen universities’ research and data worth millions. In 2018, the US Department of Justice indicted nine Silent Librarian members for conducting attacks to steal universtiy research material and proprietary data. The indictment stated that between 2013 and 2017, Silent Librarian’s activities resulted in approximately $3.4 billion of intellectual property loss. Furthermore, the group stole 31 terabytes of data from compromised universities, companies and government agencies from around the world. Despite these charges, Silent Librarian has continued attacking universities around the world, mainly during the first few months of the start of the Northern hemisphere’s academic year.
Silent Librarian’s Tactics
Over the years, many Silent Librarian phishing sites have been identified and taken down. However, this has had no appreciable effect on the group’s activities. Each year there has been a seasonal increase in phishing campaigns from this group. This increase usually occurs between June and October each year. Each subsequent year’s phishing campaign has built on the success of previous years’ campaigns. Although the group may make minor changes, their overall strategy remains much the same year on year. Silent Librarian uses low volume targeted phishing campaigns, to trick victims into handing over their login credentials. The group then uses compromised accounts at one university to phish users at other universities. The campaigns use well-crafted social engineering mechanisms such as stolen university branding, and fake email signatures and addresses. They also often have library themed subject lines such as “Renew your loaned items” or “Overdue notice on loaned items.” The APT group’s aim is not only to harvest logins to sell online. It also steals proprietary university research material and data to sell on the dark web and to Iranian customers. According to the 2018 indictment, these customers include the Iranian government and universities.
Their Latest Tricks
In the past Silent Librarian’s campaigns have used distributed phishing URLs that lead to clones of university library login pages. Historically, the group used URL shorteners to hide the real hosting origin of URLs in the links contained within the phishing emails. URL shorteners help make fraudulent links appear legitimate and mask their true destination. As before, in this latest campaign, the group is hosting a series of phishing sites that impersonate legitimate university website pages. However, this year the APT group has updated how they use URLs in their spear-phishing emails. Silent Librarian is now leveraging Cloudfare’s Content Delivery Network services. The group uses these services to hide the real hosting origin of their sites and thus the links’ true destination. This tricks the victim into clicking the malicious link contained in the phishing email. According to Malwarebytes, who uncovered Silent Librarian’s latest spear-phishing campaign, at least some of the group’s hosting infrastructure is located in their home country of Iran. Malwarebytes researchers state in their report, “It may seem odd for an attacker to use infrastructure in their own country, possibly pointing a finger at them. However, here it simply becomes another bulletproof hosting option based on the lack of cooperation between US or European law enforcement and local police in Iran.” It’s the group’s adaptability that has allowed Silent Librarian to remain active, despite their hosting sites being constantly taken down. “Although for the most part the sites are taken down quickly, the attacker has the advantage of being one step ahead and is going for many possible targets at once,” says the Malwarebytes report.