Cyber Incident Victim: York University
Date:
Oct 2020
Location:
Canada
Summary
Iranian state-linked threat actors known as Silent Librarian targeted multiple academic institutions, including York University, through a renewed phishing campaign. The attackers deployed emails impersonating university portals and library services, directing victims to fraudulent websites hosted on Iranian infrastructure to harvest login credentials. This campaign marked a tactical shift by leveraging domestically hosted phishing servers to evade international takedown efforts. The group historically stole intellectual property and restricted academic materials from compromised university systems, reselling them via Iranian platforms. Despite prior US indictments against its members for global academic attacks dating back several years, the group continued operations targeting educational entities during seasonal academic cycles.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
In October 2020, Iranian state-sponsored hackers operating under the codename Silent Librarian resumed targeted phishing campaigns against global academic institutions, continuing a pattern of annual attacks timed to coincide with the start of the new school year. The group, previously indicted by the U.S. Department of Justice in March 2018 for attacks dating back to 2013, employed emails impersonating university portals or affiliated services like library applications. These messages directed victims to fraudulent login pages hosted on domains designed to mimic legitimate university websites, where credentials were harvested. Historical analysis by cybersecurity firms including Secureworks and Proofpoint documented similar campaigns in 2018 and 2019, with attackers systematically stealing intellectual property and pre-publication academic research to resell through Iranian-based platforms Megapaper.ir and Gigapaper.ir. The 2020 campaign maintained this operational objective but introduced a critical infrastructure shift by hosting phishing sites on servers within Iran, a departure from prior tactics.
Malwarebytes researchers identified this change as a deliberate effort to leverage jurisdictional barriers that prevented U.S. or European law enforcement from disabling the attack infrastructure. The phishing domains targeted at least 14 universities globally, though specific institutional names beyond the referenced platforms were not disclosed in available reporting. Impacts centered on credential compromise enabling unauthorized access to academic portals containing proprietary research and restricted materials, facilitating ongoing intellectual property theft. No victim-led containment measures or technical mitigations were described in source material. The U.S. indictment remained unenforced against group members operating from Iran, allowing continued operations despite public attribution. This incident underscored persistent challenges in deterring state-aligned threat actors exploiting geopolitical boundaries to shield cyber operations targeting academic research ecosystems.