Cyber Threat Actor: Silent Librarian
| Actor Type | Location | Known Incidents |
Nation State
|
Iran
|
34 incidents |
|---|
Profile
Silent Librarian, also tracked as Cobalt Dickens and TA407, is an Iran‑based threat actor that has been publicly linked to a series of credential‑harvesting and malware distribution campaigns against academic institutions worldwide. The group first came to prominence through a series of phishing operations that began as early as 2013, leading to a U.S. indictment in March 2018 for stealing intellectual property from universities and reselling it on domains such as Megapaper.ir and Gigapaper.ir. Public reporting consistently describes the actor as Iranian state‑linked, noting that its infrastructure is often hosted within Iran to evade takedown efforts by foreign law enforcement.
The actor’s typical targeting focuses on universities and colleges across multiple regions, including North America, Europe, Asia and Oceania, as evidenced by incidents involving Purdue, Oxford, Stanford, Hunter College, La Trobe University and Nanyang Technological University. Its strategic objective, as described in open sources, is to obtain login credentials and proprietary academic material through phishing, which is then monetized by reselling the stolen research on illicit platforms. Initial access is achieved primarily via spear‑phishing emails that contain links to fraudulent university‑portal or library sites hosted on lookalike domains; these messages are often sent from compromised legitimate university email accounts, allowing the actor to bypass SPF and DMARC authentication. In several campaigns, the group abused misconfigured SMTP servers at victim institutions to relay phishing messages, further increasing deliverability. While specific malware families are not named in the provided material, the emails frequently carry malicious attachments designed to install payloads once opened. The actor’s tooling style emphasizes the use of trusted academic domains, credential harvesting via fake login pages, and the exploitation of weak password practices or shared credentials to maintain access to hijacked accounts.
Notable operations include a 2020 wave of phishing attacks that leveraged compromised accounts at over a dozen universities to distribute credential‑harvesting links and malware, taking advantage of the shift to remote learning during the pandemic. A separate 2021 incident saw Queens University Belfast suspend access to multiple systems as a precaution after an attempted cyber‑attribution attempt, though no data theft was confirmed. These campaigns illustrate the actor’s recurring pattern of targeting educational entities at the start of academic seasons, employing infrastructure hosted in Iran to reduce the risk of external disruption, and consistently seeking to convert stolen intellectual property into financial gain.
