Cyber Incident Victim: King's College London
Date:
Oct 2020
Location:
United Kingdom
Summary
Iranian state-linked hackers known as Silent Librarian conducted a phishing campaign targeting academic institutions, including Kings College London, by deploying fraudulent login portals mimicking university services to harvest credentials. The attackers, previously indicted in the US for stealing and reselling academic research through Iranian-hosted platforms, leveraged domestic infrastructure to evade international takedown efforts. This campaign aimed to compromise university systems to illicitly access and monetize intellectual property and restricted academic materials, continuing a multi-year pattern of seasonal attacks aligned with academic calendars.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
In October 2020, Iranian state-sponsored hackers known as Silent Librarian resumed phishing campaigns targeting global universities, including King's College London, coinciding with the start of the academic year. The group, active since at least 2013 and indicted by the US Department of Justice in March 2018 for intellectual property theft, employed emails impersonating university portals or affiliated services like library systems. These messages directed victims to fraudulent login pages hosted on domains mimicking legitimate university websites, designed to harvest credentials. Unlike previous campaigns that relied on international infrastructure vulnerable to takedowns, the 2020 operation utilized Iranian-hosted servers, rendering them resistant to removal efforts by Western law enforcement due to geopolitical constraints. Security firm Malwarebytes identified and documented this activity, noting the attackers’ continued focus on stealing unpublished academic research and proprietary data for commercial resale through Iranian platforms Megapaper.ir and Gigapaper.ir. The campaign followed a recurring seasonal pattern observed since 2018, with prior operations documented by Secureworks and Proofpoint. Fourteen institutions were explicitly named in Malwarebytes’ report, with King's College London appearing among the targeted entities alongside other universities in the US, UK, Canada, and Australia.
The attacks compromised institutional login systems, enabling unauthorized access to academic repositories containing sensitive research materials and intellectual property. While the full impact on King's College London remains unspecified, historical context from the 2018 indictment indicates Silent Librarian typically sought to exfiltrate and monetize scholarly articles, datasets, and subscription-based resources. The group’s shift to Iranian infrastructure represented a strategic adaptation to preserve operational continuity, exploiting jurisdictional barriers that prevented coordinated international takedowns. No specific containment measures or remediation efforts by affected universities were detailed in the reporting, though the public disclosure of phishing domains aimed to facilitate internal reviews of email traffic. The incident underscored persistent threats to academic institutions from state-aligned actors pursuing economically motivated espionage, with the 2020 campaign highlighting evolving tactics to circumvent previous countermeasures. US legal actions had failed to disrupt the group’s activities, as members operated with impunity from Iran despite outstanding charges.