An Iranian state-backed APT group known for targeting universities for research materials has been detected in a new campaign coinciding with the start of the new academic year.
Silent Librarian (aka TA407, Cobalt Dickens) is once again casting the net wide geographically. It has registered phishing sites for universities in: Australia (Victoria, Adelaide and Melbourne Victoria), the UK (Glasgow Caledonian, King’s College London, Bristol, Cambridge and others), the US (North Texas, McGill, Stony Brook), Singapore (Nanyang Technological), Canada (Western, Toronto) and in Sweden, Germany and the Netherlands.
Using a similar pattern to that spotted in previous campaigns, the group keeps most of the domain intact but simply swaps the TLD, which can happen if organizations don’t defensively register enough variants.
Although Silent Librarian is using Cloudflare to hide the true location of its servers, Malwarebytes said it was able to identify several based in Iran.
“It may seem odd for an attacker to use infrastructure in their own country, possibly pointing a finger at them,” the firm’s Threat Intelligence Team wrote in a blog post. “However, here it simply becomes another bulletproof hosting option based on the lack of cooperation between US or European law enforcement and local police in Iran.”
It warned that although sites are being taken down as quickly as possible, the group has amassed a sizeable number in order to continue its phishing campaign unabated.
“IT administrators working at universities have a particularly tough job considering that their customers, namely students and teachers, are among the most difficult to protect due to their behaviors. Despite that, they also contribute to and access research that could be worth millions or billions of dollars,” said Malwarebytes.
“Considering that Iran is dealing with constant sanctions, it strives to keep up with world developments in various fields, including that of technology. As such, these attacks represent a national interest and are well funded.”
Silent Librarian has been spotted in 2018 and 2019 performing similar attacks.