Cyber Incident Victim: University of Toronto
Date:
Oct 2020
Location:
Canada
Summary
A group of Iranian state-linked hackers known as Silent Librarian resumed phishing campaigns targeting academic institutions, including the University of Toronto, by deploying credential-stealing websites mimicking university portals and library services. The attackers hosted phishing infrastructure on Iranian servers to evade international law enforcement takedowns, leveraging lookalike domains in emails to harvest login details. This group historically stole and resold academic research and intellectual property through illicit platforms, continuing operations despite prior US indictments. The campaign aligned with seasonal patterns of targeting universities during academic cycles, with the latest iteration emphasizing resilient infrastructure to sustain unauthorized access to restricted scholarly materials.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 4 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
In October 2020, Iranian state-sponsored hackers known as Silent Librarian resumed targeted phishing campaigns against global universities, including the University of Toronto, coinciding with the start of the academic year. The attackers deployed emails impersonating legitimate university portals and associated services like library applications, directing victims to fraudulent websites hosted on domains designed to mimic institutional URLs. These phishing sites harvested login credentials, enabling unauthorized access to university systems. Security firm Malwarebytes confirmed the campaign’s infrastructure differed from prior operations, with phishing servers hosted within Iran to evade international law enforcement takedowns. The group exploited geopolitical barriers, as Iranian authorities historically lack cooperation with U.S. and European agencies. While the article did not specify intrusion timelines or data exfiltration volumes for individual universities, the University of Toronto appeared among 14 listed targets alongside institutions like the University of Cambridge and University of Melbourne.
Silent Librarian, indicted by the U.S. Department of Justice in March 2018 for attacks dating to 2013, historically stole intellectual property and pre-publication academic research to resell via Iranian platforms Megapaper.ir and Gigapaper.ir. The 2020 campaign continued this pattern of credential harvesting for subsequent theft of restricted academic materials. Previous campaigns occurred annually in the fall, with documented incidents in 2018 by Secureworks and in 2019 by Proofpoint. No technical mitigation details or victim-specific containment actions were disclosed in the source material. The operational shift to Iranian hosting reflected strategic adaptation to preserve infrastructure, though the core tactics—domain spoofing, credential collection, and exploitation of academic resources—remained consistent with the group’s long-standing objectives.