Cyber Incident Victim: Karolinska Institutet
Date:
Oct 2020
Location:
Sweden
Summary
A threat group known as Silent Librarian, previously indicted for targeting academic institutions, resumed phishing campaigns against universities including Karolinska Medical Institutet. The attackers sent emails impersonating university portals or associated services, directing victims to fraudulent websites hosted on Iranian infrastructure to evade takedowns and harvest login credentials. Historically linked to stealing intellectual property and unpublished academic research, the group monetized compromised materials through illicit platforms. This campaign marked a tactical shift by leveraging domestic servers to exploit jurisdictional barriers hindering international law enforcement cooperation.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
In October 2020, Iranian state-sponsored hackers known as Silent Librarian resumed their annual campaign of cyberattacks targeting global academic institutions, coinciding with the start of the new school year. The group deployed phishing emails impersonating university portals and associated services like library applications, directing victims to fraudulent websites hosted on lookalike domains. These sites harvested login credentials to infiltrate university systems, continuing a pattern documented since at least 2013. Silent Librarian had previously been indicted by the U.S. Department of Justice in March 2018 for systematically stealing intellectual property and unpublished academic research from over 100 universities worldwide. The stolen materials, including journal articles and proprietary data, were monetized through Iranian-based platforms Megapaper.ir and Gigapaper.ir. Despite the indictment, the group operated with impunity from Iran, conducting seasonal attacks each fall. Security firms including Malwarebytes, Secureworks, and Proofpoint had tracked their campaigns across multiple years, noting consistent timing but evolving tactics. The 2020 operation specifically targeted 14 universities, though the article's table listing these institutions was not fully detailed in the text body. Historical evidence indicated compromised credentials enabled access to subscription research databases and institutional repositories, resulting in the exfiltration of valuable academic assets for commercial resale.
The 2020 campaign marked a strategic shift as Silent Librarian hosted phishing infrastructure on servers within Iran, a departure from previous reliance on international hosting providers. This move rendered takedown efforts by Western law enforcement ineffective due to geopolitical tensions and lack of cross-border cooperation. Malwarebytes confirmed the Iranian-hosted domains impersonated legitimate university login pages but did not specify technical countermeasures deployed by victims. The attacks exploited academic workflows during a period of heightened online activity, as universities managed hybrid learning models amid the COVID-19 pandemic. While financial impacts were not quantified, the historical precedent established significant losses of proprietary research and copyrighted materials. The U.S. indictment had previously linked the group to Iran’s Islamic Revolutionary Guard Corps, alleging state-sponsored economic warfare through intellectual property theft. No public disclosures from targeted universities detailed containment actions or credential reset protocols following the 2020 campaign. The persistent operational security of Silent Librarian underscored challenges in deterring state-aligned threat actors shielded by jurisdictional boundaries.