The Silent Librarian hacker group – aka TA407 – has recommenced a spear phishing campaign targeting universities. The hacking group is known for sending spear phishing emails to university staff and students that direct the recipients to websites spoofing university and portal apps, on domains very similar to those used by the universities. The theme for the emails varies, although commonly the group spoofs university library systems and other faculties and sends warnings that require users to login to internal systems.
The purpose of those websites is to collect credentials, which are then used to gain access to university resources with the view to stealing research data and intellectual property. Credentials obtained in the attacks are also sold on and intellectual property and research data are similarly sold to the highest bidder.
Silent Librarian operates out of Iran and has been conducting attacks on universities since at least 2013. In 2018, several members of the group were indicted in the United States for the attacks, theft of intellectual property, and sale of stolen data on their web portals. To date, the individuals involved have not been apprehended and the attacks have continued.
The spear phishing campaigns commence at the start of the academic year and 2020 is no different, although there is a notable change in this year’s campaign. The phishing websites are now hosted in Iran, presumably to reduce the chances of the websites being taken down. In past campaigns, many of the websites used were taken down, but since Silent Librarian had large number of websites, they managed to survive attempts to disrupt their campaigns.
The campaigns are conducted in limited numbers and the attacks are highly targeted. Several websites are being used to target universities from several different countries including Australia, Canada, Germany, Netherlands, Singapore, Sweden, the United States, and United Kingdom.
The websites are very similar to those used by the targeted universities – blackboard.gcal.crev[dot]me instead of blackboard.gcal.ac[dot]uk for example – and the sites are frequently updated with new, university-specific banners and topical information such as local weather alerts and emergency notifications to make them appear more authentic. The links in the emails are often shortened using URL shortening services to hide the true destination URL, or Cloudflare to hide the phishing hostnames.
The campaigns have been honed over the years and are convincing and effective. The group is believed to have stolen research data worth many millions of dollars over the years.