Silent Librarian Resumes Spearphishing Attacks Against Global Universities
- Actor Motivations: Exfiltration,Financial Gain
- Attack Vectors: Brute-force,Compromised Credentials,Phishing
- Attack Complexity: Medium
- Threat Risk: Low Impact/High Probability
Threat Overview
Silent Librarian (aka TA407/COBALT DICKENS) has resumed its annual spearphishing campaign targeting universities worldwide for the 2020-2021 academic year. The group seeks to steal research and intellectual property using phishing websites that mimic legitimate university domains. Recent campaigns have featured domains with altered top-level domains such as ".me", ".tk" and ".cf", often hosted via Cloudflare to disguise the true origin, which includes servers based in Iran. This follows their indictment by the US Department of Justice in 2018 for cyber attacks on academic institutions worldwide.
Detected Targets
| Type | Description | Confidence |
|---|---|---|
| Sector | University | Verified |
| Region | Australia | Verified |
| Region | United States | Verified |
Extracted IOCs
- adfs.lincoln.ac.uk.itlib[.]me
- blackboard.gcal.crev[.]me
- blackboard.stonybrook.ernn[.]me
- blackboard.stonybrook.nrni[.]me
- cas.thm.de.itlib[.]me
- idcheck2.qmul.ac.uk.sftt[.]cf
- idp3.it.gu.se.itlf[.]cf
- idpz.utorauth.utoronto.ca.itlf[.]cf
- libproxy.library.unt.edu.itlib[.]me
- library.adelaide.crev[.]me
- librarysso.vu.cvrr[.]me
- lms.latrobe.aroe[.]me
- login.ki.se.iftl[.]tk
- login.libproxy.kcl.ac.uk.itlt[.]tk
- login.proxy1.lib.uwo.ca.sftt[.]cf
- namidp.services.uu.nl.itlib[.]me
- ntulearn.ntu.ninu[.]me
- ole.bris.crir[.]me
- raven.cam.ac.uk.iftl[.]tk
- shibboleth.mcgill.ca.iftl[.]tk
- shib.york.ac.uk.iftl[.]tk
- signon.adelaide.edu.au.itlib[.]me
- sso.id.kent.ac.uk.iftl[.]tk
- uu.blackboard.rres[.]me
- vle.cam.ac.uk.canm[.]me
- 103[.]127.31.155
- 158[.]58.184.213
- 46[.]209.20.154
Tip: 28 related IOCs (3 IP, 25 domain, 0 URL, 0 email, 0 file hash) to this threat have been found.