Silent Librarian: Iranian Group Targets Global Universities and Research Institutions
- Actor Motivations: Exfiltration,Financial Gain
- Attack Vectors: Compromised Credentials,Phishing
- Attack Complexity: Low
- Threat Risk: Low Impact/High Probability
Threat Overview
Silent Librarian, an Iranian group tied to the Mabna Institute, has been conducting credential-phishing campaigns targeting over 300 universities and institutions worldwide since 2013. These campaigns focus on prominent research, medical, and technical universities, mainly in the US, UK, Canada, and Australia, as well as non-academic institutions like Los Alamos National Laboratory. Using spoofed emails, Freenom domains, and Let's Encrypt SSL certificates, the group collected credentials to access valuable research data. PhishLabs identified over 750 attacks and 127 phishing domains. The attackers leveraged infrastructure such as temporary email accounts and domain registrations to execute their campaigns.
Detected Targets
| Type | Description | Confidence |
|---|---|---|
| Case | Electric Power Research Institute (EPRI) EPRI, is an American independent, nonprofit organization that conducts research and development related to the generation, delivery, and use of electricity to help address challenges in the energy industry, including reliability, efficiency, affordability, health, safety, and the environment. Electric Power Research Institute (EPRI) has been targeted by Silent Librarian with abusive purposes. | Verified |
| Case | Los Alamos National Laboratory Los Alamos National Laboratory is one of the sixteen research and development laboratories of the United States Department of Energy, located a short distance northwest of Santa Fe, New Mexico, in the American southwest. Los Alamos National Laboratory has been targeted by Silent Librarian with abusive purposes. | Verified |
| Case | Memorial Sloan Kettering Cancer Center History Memorial Sloan Kettering Cancer Center is a cancer treatment and research institution in Manhattan in New York City. MSKCC is one of 72 National Cancer Institute–designated Comprehensive Cancer Centers. Its main campus is located at 1275 York Avenue between 67th and 68th Streets in Manhattan. Memorial Sloan Kettering Cancer Center has been targeted by Silent Librarian with abusive purposes. | Verified |
| Case | The Ohio State University Wexner Medical Center The Ohio State Wexner Medical Center is a leader in central Ohio for healthcare and medical research. The Ohio State University Wexner Medical Center has been targeted by Silent Librarian with abusive purposes. | Verified |
| Case | Thomson Reuters Thomson Reuters Corporation is a Canadian multinational information conglomerate. The company was founded in Toronto, Ontario, Canada and maintains its headquarters at 19 Duncan Street there. Thomson Reuters was created by the Thomson Corporation's purchase of the British company Reuters Group on 17 April 2008. Thomson Reuters has been targeted by Silent Librarian with abusive purposes. | Verified |
| Sector | Government Agencies and Services | Verified |
| Sector | University | Verified |
| Region | Australia | Verified |
| Region | Canada | Verified |
| Region | France | Verified |
| Region | Germany | Verified |
| Region | Oman | Verified |
| Region | Saudi Arabia | Verified |
| Region | South Africa | Verified |
| Region | Sweden | Verified |
| Region | Turkey | Verified |
| Region | United Kingdom | Verified |
| Region | United States | Verified |
Extracted IOCs
- cavc[.]tk
- cvre[.]tk
- gigapaper[.]ir
- lib2[.]ml
- libi[.]ga
- libna[.]ml
- libru[.]gq
- libt[.]cf
- megapaper[.]ir
- mncr[.]tk
- nsae[.]ml
- reactivation[.]in
- saea[.]ga
- seae[.]tk
- ulibr[.]cf
- ulibr[.]ga
- alexandria.rice.ulibr[.]ga
- auth.berkeley.edu.libna[.]ml
- bb.uvm.edu.cvre[.]tk
- cas.iu.edu.cavc[.]tk
- cas.usherbrooke.ca.cavc[.]tk
- catalog.lib.ksu.edu.cavc[.]tk
- catalog.lib.usm.edu.seae[.]tk
- catalog.sju.edu.mncr[.]tk
- cline.lib.nau.edu.cvre[.]tk
- cmich.ulibr[.]ga
- columbia.ulibr[.]ga
- edu.edu.libt[.]cf
- edu.libt[.]cf
- edu.login.revproxy.brown.edu.libt[.]cf
- elearning.uky.edu.seae[.]tk
- ezlibproxy1.ntu.edu.sg.reactivation[.]in
- ezpa.library.ualberta.ca.reactivation[.]in
- ezproxy-authcate.lib.monash.ulibr[.]ga
- ezproxy-authcate.monash.lib.ulibr[.]ga
- ezproxy-f.deakin.au.ulibr[.]ga
- ezvpn.mskcc.saea[.]ga
- illiad.lib.binghamton.edu.cvre[.]tk
- isa.epfl.ch.cavc[.]tk
- libcat.library.qut.nsae[.]ml
- libcat.smu.edu.cvre[.]tk
- lib.dundee.ac.uk.ulibr[.]ga
- lib.just.edu.jo.reactivation[.]in
- library.asu.saea[.]ga
- library.cornell.ulibr[.]ga
- library.lehigh.saea[.]ga
- login.brandeis.edu.cvre[.]tk
- login.ezproxy.gsu.ulibr[.]ga
- login.ezproxy.lib.purdue.edu.reactivation[.]in
- login.libproxy.temple.shibboleth2.uchicago.ulibr[.]cf
- login.libproxy.temple.ulibr[.]cf
- login.library.nyu.ulibr[.]ga
- login.revproxy.brown.edu.edu.libt[.]cf
- login.revproxy.brown.edu.libt[.]cf
- login.revproxy.brown.edu.login.revproxy.brown.edu.libt[.]cf
- login.vcu.edu.cavc[.]tk
- ltuvpn.latrobe.edu.au.reactivation[.]in
- mail.ulibr[.]ga
- moodle.ucl.ac.saea[.]ga
- msim.cvre[.]tk
- passport.pitt.edu.reactivation[.]in
- shibboleth2.uchicago.shibboleth2.uchicago.ulibr[.]cf
- shibboleth2.uchicago.ulibr[.]cf
- shibboleth.nyu.edu.reactivation[.]in
- shib.ncsu.shibboleth2.uchicago.ulibr[.]cf
- shib.ncsu.ulibr[.]cf
- singlesignon.gwu.shibboleth2.uchicago.ulibr[.]cf
- singlesignon.gwu.ulibr[.]cf
- sso.lib.uts.edu.au.libna[.]ml
- unex.learn.saea[.]ga
- unomaha.on.saea[.]ga
- webauth.ox.ac.uk.shibboleth2.uchicago.ulibr[.]cf
- webauth.ox.ac.uk.ulibr[.]cf
- webcat.lib.unc.ulibr[.]ga
- weblogin.pennkey.upenn.edu.reactivation[.]in
- weblogin.umich.edu.lib2[.]ml
- webmail.reactivation[.]in
- www.aladin.wrlc.org.seae[.]tk
- www.alexandria.rice.ulibr[.]ga
- www.cmich.ulibr[.]ga
- www.columbia.ulibr[.]ga
- www.ezlibproxy1.ntu.edu.sg.reactivation[.]in
- www.ezpa.library.ualberta.ca.reactivation[.]in
- www.ezproxy-authcate.lib.monash.ulibr[.]ga
- www.ezproxy-authcate.monash.lib.ulibr[.]ga
- www.ezproxy-f.deakin.au.ulibr[.]ga
- www.lib.dundee.ac.uk.ulibr[.]ga
- www.lib.just.edu.jo.reactivation[.]in
- www.library.cornell.ulibr[.]ga
- www.login.ezproxy.gsu.ulibr[.]ga
- www.login.library.nyu.ulibr[.]ga
- www.med.unc.edu.cavc[.]tk
- www.passport.pitt.edu.reactivation[.]in
- www.shibboleth.nyu.edu.reactivation[.]in
- www.ulibr[.]ga
- www.uvic.saea[.]ga
- www.webcat.lib.unc.ulibr[.]ga
- www.weblogin.pennkey.upenn.edu.reactivation[.]in
- userservices.supervisor@gmail[.]com
- hxxp://shib.ncsu.ulibr[.]cf/idp/profile/saml2/post/sso
Tip: 100 related IOCs (0 IP, 98 domain, 1 URL, 1 email, 0 file hash) to this threat have been found.
Overlaps
COBALT DICKENSCOBALT DICKENS Targets Global Universities in Persistent Phishing Campaign
Source: Secureworks - September 2019
Detection (two cases): nsae[.]ml, ulibr[.]ga
Hint: Overlaps are extracted automatically by examining the IOCs associated with all indexed threats and actors.