Silent Librarian APT right on schedule for 20/21 academic year

Posted: October 14, 2020 by Threat Intelligence Team

A threat actor known as Silent Librarian/TA407/COBALT DICKENS has been actively targeting universities via spear phishing campaigns since schools and universities went back.

In mid-September, we were tipped off by one of our customers about a new active campaign from this APT group. Based off a number of intended victims, we can tell that Silent Librarian does not limit itself to specific countries but tries to get wider coverage.

Even though many phishing sites have been identified and taken down, the threat actor has built enough of them to continue with a successful campaign against staff and students alike.

A persistent threat actor with a perfect attendance record

In March 2018, nine Iranians were indicted by the US Department of Justice for conducting attacks against universities and other organizations with the goal of stealing research and proprietary data.

Yet, both in August 2018 and 2019 Silent Librarian was lining up for the new academic years, once again targeting the same kind of victims in over a dozen countries.

IT administrators working at universities have a particularly tough job considering that their customers, namely students and teachers, are among the most difficult to protect due to their behaviors. Despite that, they also contribute to and access research that could be worth millions or billions of dollars.

Considering that Iran is dealing with constant sanctions, it strives to keep up with world developments in various fields, including that of technology. As such, these attacks represent a national interest and are well funded.

Same pattern in phishing domain registration

The new domain names follow the same pattern as previously reported, except that they swap the top level domain name for another. We know that the threat actor has used the “.me” TLD in their past campaigns against some academic intuitions and this is still the case, along side “.tk” and “.cf”.

This new phishing campaign has been tracked by several security researchers on Twitter, notably Peter Kruse from the CSIS Security Group.

Phishing siteLegitimate siteTarget University of Adelaide Library University of Adelaide Library Caledonian University
blackboard.stonybrook.ernn.meblackboard.stonybrook.eduStony Brook University
blackboard.stonybrook.nrni.meblackboard.stonybrook.eduStony Brook University Utrecht
uu.blackboard.rres.meuu.blackboard.comUniversiteit Utrecht University of Bristol of Toronto of Cambridge Medical Institutet of York of Kentöteborg universitet University Canada’s College London Mary University of London Victoria Australia Technological University of Lincoln Mittelhessen University of Applied Sciences of North Texas University of Cambridge

Table 1: List of phishing sites and targets

Registering these subdomains to perform phishing attacks against universities is a known behavior for this APT group and therefore we can expect that they were registered by the same actor.

Silent Librarian APT right on schedule for 20/21 academic year
Figure 1: Phishing site for the University of Adelaide

Phishing sites hosted in Iran

The threat actor uses Cloudflare for most of their phishing hostnames in order to hide the real hosting origin. However, with some external help we were able to identify some of their infrastructure located on Iran-based hosts.

It may seem odd for an attacker to use infrastructure in their own country, possibly pointing a finger at them. However, here it simply becomes another bulletproof hosting option based on the lack of cooperation between US or European law enforcement and local police in Iran.

Silent Librarian APT right on schedule for 20/21 academic year
Figure 2: Part of the phishing infrastructure showing connections with Iran

Clearly we only uncovered a small portion of this phishing operation. Although for the most part the sites are taken down quickly, the attacker has the advantage of being one step ahead and is going for many possible targets at once.

We are continuing to monitor this campaign and are keeping our customers safe by blocking the phishing sites.

Indicators of Compromise (IOCs)



[출처 : Malwarebytes / 10.14.]