Cyber Incident Victim: University of North Texas
Date:
Oct 2020
Location:
United States of America
Summary
A group of Iranian state-linked hackers known as Silent Librarian conducted phishing campaigns targeting academic institutions, including the University of North Texas, by impersonating university portals and associated services through deceptive emails and lookalike domains. The attackers harvested login credentials to steal intellectual property and restricted academic materials, later reselling them via Iranian-based platforms. This campaign utilized infrastructure hosted within Iran to evade international law enforcement takedowns, marking a shift from previous operations. The group, previously indicted in the US for similar global attacks dating back years, continued operations despite legal actions, typically escalating activity around academic calendar cycles.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
In October 2020, Iranian state-sponsored hackers known as Silent Librarian resumed their annual campaign targeting global academic institutions, including the University of North Texas. The group deployed phishing emails impersonating university portals and library applications, directing victims to fraudulent login pages hosted on domains designed to mimic legitimate university websites. These phishing sites harvested credentials to compromise institutional accounts. Unlike previous campaigns, the 2020 operation utilized servers hosted in Iran, rendering them resistant to takedown requests from Western law enforcement agencies due to geopolitical tensions. Security firm Malwarebytes attributed the attacks to Silent Librarian based on infrastructure patterns and historical tactics, noting the group's consistent focus on academic targets during fall semesters when university activity peaks. The hackers had operated since at least 2013, with prior campaigns documented by Secureworks in 2018 and Proofpoint in 2019. A March 2018 U.S. Department of Justice indictment had previously charged Silent Librarian members with stealing intellectual property and proprietary academic research from over 100 universities worldwide, though the hackers remained active from Iran.
The compromised credentials enabled unauthorized access to university systems containing academic research, limited-release publications, and intellectual property. Silent Librarian monetized stolen materials through Iranian-based portals Megapaper.ir and Gigapaper.ir, which sold illicit access to paywalled scholarly resources. While the full impact on individual institutions like the University of North Texas wasn't quantified, Malwarebytes published phishing domain indicators specifically associated with the university to assist in identifying compromised accounts. No institutional remediation efforts were detailed in available reports, but the historical indictment highlighted prior law enforcement attempts to disrupt the group’s operations through legal channels. The persistent annual timing of attacks coincided with academic calendars, suggesting strategic planning around periods of heightened university system usage. Security researchers emphasized the operational shift toward Iranian-hosted infrastructure as a deliberate evasion tactic, exploiting jurisdictional barriers that prevented coordinated international response efforts against the threat actors.