'Silent Librarian' Revamps Phishing Campaign: ProofpointIranian-Backed Hacking Group Targeting Research Universities
"Silent Librarian," a hacking group with apparent ties to the Iranian government, is continuing to revamp and refine its phishing techniques as it targets research universities in the U.S. and Europe in an attempt to steal intellectual property, according to the security firm Proofpoint.
The hacking group, which Proofpoint also refers to as TA407, is active at this time of year because many schools and universities are in the middle of their fall semester with new students and faculty starting their academic year. Many of these institutions are targeted with highly sophisticated phishing emails disguised as coming from a school's library services - hence the name, according to Proofpoint’s new research report.
The group continues to revamp its phishing emails to make them even more authentic, using banners and logos stolen from universities, the researchers say. These phishing emails lead to spoofed webpages that incorporate what appear to be real-time weather banners to make them look authentic.
"These portals are more likely to push forced credential changes to users at the end of a school year or at the beginning of a new one," Chris Dawson, the threat intelligence lead at Proofpoint, tells Information Security Media Group. "We also see upticks in phishing activity as new students activate their accounts for the first time and begin receiving high volumes of university-related email."
The hacking group has targeted over 140 organizations in the U.S. and another 170 universities and schools in 21 other countries around the world since 2013, according to Proofpoint.
The group stole over 30 terabytes of data between 2013 and 2017, the researchers say. Proofpoint’s new research report, however, does not say if any of the group’s recent activity has led to the theft of more intellectual property from any of the universities targeted.
In September, SecureWorks released an analysis of the same group, which it calls "Colbalt Dickens" (see: Iranian Hacking Group Continues Targeting Universities).
In March 2018, the U.S. Justice Department, unsealed an indictment against the group, which it calls the Mabna Institute. The charges included computer intrusion, wire fraud and identity theft.
The Justice Department indictment tied the group to Iran's Islamic Revolutionary Guard Corps, a paramilitary group that's also involved in cyberespionage.
In almost all cases, the hacking group targets universities with phishing emails that appear to come from the school's library services. These messages contain links that lead to spoofed webpages that are designed to resemble a school's online library services support portal, according to the Proofpoint research.
Once a victim lands on the spoofed webpage, they are asked to input their credentials under the guise of reactivating suspended library services, researchers say. If the victim falls for the fake log-in page, their credentials are sent to a server controlled by the hacking group, and the victim is then redirected back to the actual university library webpage, Proofpoint says.
The Proofpoint researchers say that these attacks usually started with a shortened URL to help hide the domain. The analysts also found that in many cases, the hacking group compromises one university IT system and then uses that as a launching pad to send other phishing emails to other schools and universities.
In the phishing emails that Proofpoint collected, researchers noticed that the hacking group uses a free service called Freenom to register various domains that they control.
"Threat actors know a phishing email that appears to originate from a trusted associate or fellow university is far more likely to be clicked than an email from an unknown source," Dawson says. "We regularly observe threat actors that target a specific university are looking to breach credentials, and use those credentials and far-reaching access to target an associated university, teaching hospital, research facility, etc."