Share this article on:
The Iran-based hacking group known as Silent Librarian – aka Cobalt Dickens and TA407 – has recommenced spear phishing attacks on universities in the United States and around the world. The hacking group has been conducting attacks since 2013 to gain access to login credentials and steal intellectual property and research data. Credentials and data stolen in the attacks are subsequently sold via the hacking group’s portals.
The U.S. Department of Justice indicted 9 Iranians in connection with the attacks in 2018, but the indictments have had no effect on the campaigns which have continued. Those individuals have yet to be brought to justice.
The spear phishing campaigns usually recommence in September to coincide with the start of the new academic year. The hackers have developed many different phishing websites which are used in the campaigns, and while many of these sites are taken down, sufficient numbers are used to ensure the campaigns can continue. This year, the group is known to be using sites hosted in Iran, which could hamper efforts to have the sites shut down due to a lack of cooperation between Iran and the United States and Europe.
Spear phishing emails are highly targeted and are sent to relatively few individuals at each targeted institution. The emails often spoof university libraries and prompt users to click links and login to the university’s web portal.
The domains used in the campaign closely resemble the official domains used by the universities. For instance, attacks on Western University Canada use login.proxy1.lib.uwo.ca.sftt.cf instead of login.proxy1.lib.uwo.ca, and the campaign targeting Stony Brook University uses the domain blackboard.stonybrook.ernn.me instead of blackboard.stonybrook.edu.
The threat group is known to use URL shortening services for links to the phishing domains to mask the true destination URL. Malwarebytes, which discovered the latest campaign, reports that Silent Librarian is using Cloudflare this year for most of their phishing hostnames to hide the real origin of the sites, which are mostly hosted in Iran this year.
The landing pages on the phishing pages are virtual carbon copies of those used by the universities being targeted, so if a user lands on one of those pages and fails to identify the incorrect URL, there is a strong likelihood that login credentials will be entered and captured by the group.
This year’s campaign could be even more effective. Many students and staff are remote due to COVID-19, which could potentially be exploited to steal more credentials and data.
The hacking group is known to have conducted attacks on at least 40 organizations and more than 140 educational institutions since 2013 and was discovered to have stolen more than 30 TB of data between 2013 and 2017. Malwarebytes reports that well over a dozen universities are known to have been targeted in the latest campaign, but says only a small sample of the emails have been intercepted and the campaign is likely to be far more extensive.