Cyber Incident Victim: Victoria University
Date:
Oct 2020
Location:
United States of America
Summary
A group of Iranian state-linked hackers known as Silent Librarian resumed phishing campaigns targeting universities globally, including Victoria University, by deploying credential-harvesting sites mimicking legitimate academic portals. The attackers used Iranian-hosted infrastructure to evade takedowns, distributing emails with links to spoofed domains that captured login details. This group, previously indicted for intellectual property theft, historically stole and resold academic research through illicit platforms. Recent campaigns demonstrated operational adaptation by leveraging jurisdictional barriers to hinder law enforcement responses, continuing their pattern of seasonal attacks aligned with academic calendars to compromise institutional credentials and proprietary data.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
In October 2020, Iranian state-sponsored hackers known as Silent Librarian resumed targeted phishing campaigns against global universities, including Victoria University, coinciding with the start of the academic year. The group, active since at least 2013 and indicted by the U.S. Department of Justice in March 2018 for intellectual property theft, employed emails impersonating legitimate university portals or affiliated services like library systems. These messages directed victims to fraudulent login pages hosted on domains designed to mimic legitimate university websites, such as "victoriauniv[.]com" instead of the authentic "victoria.ac.uk." The phishing infrastructure was notably hosted on Iranian servers, a departure from previous campaigns, rendering takedown efforts by Western law enforcement ineffective due to jurisdictional barriers. Security firm Malwarebytes attributed the attacks to Silent Librarian based on infrastructure patterns, victimology, and historical tactics. The group’s objective remained consistent: harvesting credentials to infiltrate university networks and steal unpublished academic research, proprietary data, and intellectual property, which they monetized through Iranian-based platforms like Megapaper.ir.
The attacks impacted multiple universities globally, compromising faculty and student accounts to access restricted academic materials. Silent Librarian’s operations caused direct financial and reputational harm to institutions through theft of valuable research, though specific losses at Victoria University were not quantified in public reports. No containment or remediation measures by the targeted universities were detailed; however, Malwarebytes disclosed the phishing domains to enable internal investigations. The persistent threat underscored the group’s operational resilience despite U.S. indictments, as they continued exploiting geopolitical boundaries to evade prosecution. The 2020 campaign highlighted ongoing vulnerabilities in academic cybersecurity postures and the limitations of international legal frameworks in deterring state-aligned threat actors operating from non-cooperative jurisdictions.