Iran-Linked ‘Silent Librarian’ Back at Phishing Universities

Iran-linked state-sponsored threat actor ‘Silent Librarian’ has launched another phishing campaign targeting universities around the world.

Also tracked as TA407 and COBALT DICKENS, the adversary was previously observed launching similar attacks for two years in a row.

In 2018, the group set up fake login pages for 76 universities. In 2019, Silent Librarian targeted more than 60 universities in Australia, Canada, Hong Kong, Switzerland, the United States, and the United Kingdom.

Observed in mid-September, the new round of attacks revealed that the threat actor is expanding its target list to include more countries. One of the victims is the Nanyang Technological University in Singapore, cybersecurity researcher Peter Kruse says.

Silent Librarian, Malwarebytes’ security researchers reveal, has sent spear-phishing emails to both staff and students at the targeted universities, and the threat actor was observed setting up new infrastructure to counter efforts to take down its domains.

“Considering that Iran is dealing with constant sanctions, it strives to keep up with world developments in various fields, including that of technology. As such, these attacks represent a national interest and are well funded,” Malwarebytes says.

Domain names used in the new attacks follow the pattern observed before, although they use a different top level domain name: the adversary switched from the “.me” TLD that was previously employed to “.tk” and “.cf” in recent attacks.

Considering Silent Librarian’s use of similar domains to target universities in the past, Malwarebytes researchers are confident the new domains were registered by the same group.

The threat actor uses Cloudflare for hostnames, which helps them hide the real hosting origin. Despite that, however, the researchers were able to identify some of the infrastructure, which was hosted in Iran.

While the use of infrastructure located in the attacker’s own country might seem surprising, the researchers explain that it only shows that the adversary can leverage yet another bulletproof hosting option, the result of a lack of cooperation between US and European law enforcement and local police in Iran.

“Clearly we only uncovered a small portion of this phishing operation. Although for the most part the sites are taken down quickly, the attacker has the advantage of being one step ahead and is going for many possible targets at once,” Malwarebytes concludes.

Related: Iran Acknowledges Cyberattacks on Government Departments

Related: Hackers Steal Swiss University Salaries

Related: U.S. Seizes Domain Names Used by Iran for Disinformation

view counter

RSS Icon
picture 142

Ionut Arghire is an international correspondent for SecurityWeek.

Previous Columns by Ionut Arghire:
tag iconTags:

Source link

Recent articles

Used business aircraft market boosted by first-time buyers | News

Wealthy individuals wary of travelling on commercial airlines are boosting the used business aircraft market, according to trade brokerage Jetcraft. The US company, which...

Disability Visibility: First-Person Stories from the Twenty-First Century | Review

Alice Wong (editor)Crown Books2020 | 240pp | £11.99ISBN 9781984899422 Buy this book on A magnetar is born in a gamma-ray burst, an incredibly powerful astronomical...

We have two inherited IRAs, one for a spouse and one for adult children — can you help us figure it out?

Q: My family is having difficulty with IRA RMDs and spousal continuation. Any insight...

Israel strikes Gaza after rocket attack | Middle East

Israeli army says it struck Hamas military targets in the besieged strip after two rockets were fired into Israel.The Israeli military says it...

Best of Blender Artists: 2020, week 43

About Author Bart Veldhuizen I have a LONG history with Blender - I wrote some of the earliest Blender tutorials, worked for Not a...

Leave a reply

Please enter your comment!
Please enter your name here