The start of the academic year has seen the Silent Librarian (TA407) hacking group launch new phishing campaigns targeting research universities. The hacking group is believed to be backed by the Iranian government and is highly active at the start and end of an academic year.
The campaigns were detected by security researchers at Proofpoint and Secureworks, who intercepted several emails containing hyperlinks to malicious websites that harvest users’ credentials. The hyperlinks are often masked using URL shortening services and users often experience redirects in an attempt to fool anti-phishing software.
The campaigns are sophisticated and highly realistic thanks to the use of stolen logos, branding, banners and university color schemes. The phishing pages mimic library, student and faculty access portals, and are virtually identical to the genuine portals that they spoof.
The campaigns involve relatively small numbers of emails – often just tens of messages or hundreds, but rarely more and the campaigns target specific schools and universities, mostly those in the United States and Europe. The attackers regularly check the genuine portals and update their own phishing pages accordingly. This year, Proofpoint notes several phishing pages have incorporated weather notification banners to more closely resemble the spoofed portals.
While the emails used in the campaign are varied, most spoof the targeted university or school and appear to have been sent internally. The messages include fake email signatures and addresses and use clones of genuine university-specific email bodies.
The message subjects are often related to library services and include requests for renewal of loaned items, renewal of materials, warnings of deactivation or limiting of access to library services, and overdue notices about loaned items.
Once access is gained to email accounts at a targeted university, the compromised accounts are often used for further phishing campaigns on other universities and schools.
The hacking group is prolific. The US Department of Justice indicted nine alleged members of the hacking group in 2018 on multiple charges. The indictment alleges the hackers were responsible for attacks on at least 144 US universities, 176 foreign universities, and 5 federal and state governmental agencies and compromised 7,998 university accounts, including 3,768 in the United States. Between 2013 and 2018 the group is alleged to have stolen 31.5 terabytes of academic data and intellectual property worth $3.4 billion.
Universities have been advised to be on high alert, to implement multi-factor authentication, and to take steps to protect their intellectual property and personal information.