Cyber Incident Victim: Nanyang Technological University
Date:
Oct 2020
Location:
Singapore
Summary
A group of Iranian state-linked hackers known as Silent Librarian conducted phishing campaigns targeting multiple academic institutions, including Nanyang Technological University, by impersonating university portals and library applications to steal login credentials. The attackers hosted phishing infrastructure on Iranian servers to evade takedowns, leveraging lack of international law enforcement cooperation. This group historically compromised academic systems to steal and resell intellectual property, such as unpublished research and proprietary materials, through illicit platforms, continuing operations despite prior US indictments for similar global attacks dating back several years.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
The Silent Librarian hacker group, linked to Iran, resumed phishing campaigns against universities globally in October 2020, coinciding with the new school year. This group, indicted by the US in March 2018 for attacks dating back to 2013, historically targeted academic institutions to steal intellectual property. Their 2020 attacks involved emails directing victims to fraudulent university portals or library apps hosted on lookalike domains. These phishing sites harvested login credentials, enabling unauthorized access to university systems. The stolen academic materials, including limited-release research, were later sold on Iranian platforms Megapaper.ir and Gigapaper.ir. Despite the 2018 indictments, the group continued operations from Iran, launching annual campaigns typically in the fall. Previous activities were documented by Secureworks in 2018 and Proofpoint in 2019. The 2020 campaign differed by utilizing Iranian-hosted servers for phishing sites, complicating takedown efforts due to lack of international law enforcement cooperation. Malwarebytes identified this shift, noting the strategic use of bulletproof hosting within Iran to evade disruption.
The attacks compromised university portals, leading to theft of sensitive academic data and credentials. By impersonating legitimate services, the phishing campaigns posed significant risks to institutional security and intellectual property integrity. The group's persistent operations highlighted challenges in prosecuting threat actors based in jurisdictions with limited extradition. US legal actions had previously detailed the hackers' methods and motives, but their location in Iran prevented arrest. Security firms tracked the campaigns annually, with Malwarebytes providing specific details on the 2020 infrastructure and targets. The listed phishing domains aimed to deceive users at multiple universities, though exact institutional impacts beyond credential harvesting were not publicly quantified. The incident underscored ongoing vulnerabilities in academic cybersecurity and the adaptability of state-aligned threat groups in evading countermeasures through jurisdictional arbitrage.