Cyber Incident Victim: University of Cambridge
Date:
Oct 2020
Location:
Iran
Summary
A University of Cambridge-related incident involved Iranian state-linked hackers known as Silent Librarian conducting phishing campaigns targeting academic institutions. The attackers sent emails impersonating university portals or services, directing victims to fraudulent websites hosted on Iranian infrastructure to harvest login credentials. This infrastructure choice prevented takedowns due to jurisdictional limitations. The group historically stole intellectual property and restricted academic materials, reselling them through illicit platforms. The campaign aligned with their pattern of seasonal attacks coinciding with academic calendars but differed by leveraging domestic servers for operational resilience against international law enforcement. The activity was part of broader, repeated efforts to compromise university systems globally for financial gain through stolen research and proprietary data.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
In October 2020, the Iranian threat group Silent Librarian resumed its annual phishing campaign targeting global universities, including the University of Cambridge, coinciding with the start of the academic year. The attackers sent emails impersonating university portals or affiliated services like library applications, directing victims to fraudulent websites hosted on domains designed to mimic legitimate university URLs. These phishing sites harvested login credentials when users attempted to authenticate. Security firm Malwarebytes attributed the campaign to Silent Librarian, noting a tactical shift: the group hosted some phishing infrastructure on servers within Iran, complicating takedown efforts due to limited international law enforcement cooperation. This group had operated since at least 2013, with documented campaigns in 2018 and 2019, and was indicted by the U.S. Department of Justice in March 2018 for systematically stealing academic research and intellectual property. Despite the indictment, members remained active in Iran, continuing biannual attacks timed to academic cycles. The 2020 campaign specifically targeted 14 institutions, with Cambridge listed among the victims in Malwarebytes’ disclosure. Attackers leveraged lookalike domains such as "cambridg[.]ac[.]uk-news[.]co" to impersonate Cambridge’s legitimate "cam.ac.uk" domain, though the article did not confirm whether Cambridge credentials were successfully exfiltrated.
The primary impact of Silent Librarian’s operations involved the theft and resale of proprietary academic research through Iranian platforms like Megapaper.ir and Gigapaper.ir, undermining intellectual property rights and institutional security. Universities faced reputational risks and potential financial losses from compromised accounts, though specific consequences for Cambridge were not detailed in the source material. Malwarebytes and prior researchers like Secureworks and Proofpoint tracked the group’s activities, with the 2020 campaign documented through technical analysis of phishing infrastructure and domain patterns. No containment or remediation actions by Cambridge or other affected institutions were described, but the persistent use of Iranian hosting highlighted jurisdictional challenges in disrupting the group. The U.S. indictment remained unenforced against the Iran-based actors, allowing continued operations. Historical evidence showed the group prioritized harvesting credentials from university portals to access restricted academic materials, suggesting similar objectives in the 2020 attacks. The campaign’s annual recurrence demonstrated the group’s reliance on predictable academic timelines to maximize credential theft opportunities.