Silent Librarian Spear Phishing Campaign Targeting Universities Restarted

Silent Librarian, also known as Cobalt Dickens and TA407, centered in Iran has begun again spear-phishing attacks on colleges in America and all over the world. Since 2013, the hacking group has been executing attacks to obtain access to login information and take intellectual property and research information. Stolen data and credentials are then offered for sale through the hacking group’s web sites.

The U.S. Department of Justice accused 9 Iranians in association with the attacks in 2018, however, the indictments did not have an impact on the attacks which have persisted. Those people have yet to face justice.

The spear-phishing campaigns typically begin in September to parallel the beginning of the new school year. The hackers have created a lot of phishing portals that they utilize in the campaigns. Even though a number of these sites are removed, enough numbers are utilized to make certain the campaigns can proceed. This 2020, the hacking group is employing web pages hosted in Iran, which can hinder initiatives to shut down the sites because of insufficient collaboration among Iran, Europe, and the United States.

Spear phishing emails are remarkably targeted and are sent to rather few persons at every targeted organization. The emails frequently spoof university libraries and make people click URLs and sign in to the university’s web site.

The domains employed in the attack closely look like the genuine sites utilized by the universities. For example, attacks on Western University Canada employ login.proxy1.lib.uwo.ca.sftt.cf in place of login.proxy1.lib.uwo.ca while Stony Brook University users are directed to the domain blackboard.stonybrook.ernn.me rather than blackboard.stonybrook.edu.

The threat group utilizes URL shortening services to generate links to the phishing websites to hide the true destination website. Malwarebytes, which identified the newest campaign, mentioned that Silent Librarian is utilizing Cloudflare this year for the majority of their phishing hostnames to conceal the true source of the web pages, which are generally hosted in Iran.

The landing web pages on the phishing pages are electronic carbon copies of those employed by the educational institutions being targeted, thus if a user visits one of those websites and is not able to recognize the erroneous URL, there is a big possibility that the group could get the login credentials inputted.

This year’s campaign may be a lot more successful. A lot of students and employees are remote as a result of COVID-19, which can possibly be taken advantage of to steal a lot much more credentials.

The hacking group is identified to have performed attacks on a minimum of 40 institutions and over 140 educational establishments since 2013 and was found to have thieved over 30 TB of information from 2013 to 2017. Malwarebytes states that more than a dozen universities were targeted in the most recent campaign, yet says just a little sample of the phishing emails were intercepted and the attacks may become much more extensive.

About Christine Garcia 1288 Articles
Christine Garcia is the staff writer on Calculated HIPAA. Christine has several years experience in writing about healthcare sector issues with a focus on the compliance and cybersecurity issues. Christine has developed in-depth knowledge of HIPAA regulations. You can contact Christine at [email protected]. You can follow Christine on Twitter at https://twitter.com/ChrisCalHIPAA