The Revival of the Silent Librarian

Students are going back to schools and so is Silent Librarian.

The scoop

Silent Librarian, TA407, or Cobalt Dickens is an Iranian state-sponsored APT group infamous for targeting educational institutions for research materials, via spear-phishing campaigns. The group has already registered phishing sites for universities in Australia, the U.K, Singapore, the U.S., Canada, Germany, the Netherlands, and Sweden. 

A persistent threat actor

A couple of years back in March, the U.S. DoJ indicted 9 Iranians for carrying out attacks against educational institutions. However, Silent Librarian did not stop lining up for new school years since then. 

Why and how?

The threat actor launches low-volume, socially-engineered emails to trick targets into giving up their login credentials. The aim of the group is to sell logins and university data and research online. The group hosts a series of phishing sites impersonating legit university domains. Furthermore, Cobalt Dickens is leveraging the Cloudfare CDN to host most of its phishing sites in an attempt to hide the real hosting location.

Education sector on the crosshairs

  • DarkHydrus targets educational institutions in the Middle East and has been in commission since at least 2016. 
  • SilverTerrier, a Nigerian threat actor, targets organizations in higher education and has been functioning since 2014.

The bottom line

The state-sponsored attacks are a clear indication of national interest and thus, are well-funded. Silent Librarian has been on the prowl for research and data that is worth millions. Although some of the phishing sites have been blocked, the threat actor has taken a step ahead and is going for a myriad of targets at one go.