Cyber Incident Victim: Göteborgs universitet
Date:
Oct 2020
Location:
Sweden
Summary
A group of Iranian state-linked hackers known as Silent Librarian targeted academic institutions, including Gothenburg universitet, through phishing campaigns impersonating university portals and associated services. The attackers employed emails directing victims to fraudulent websites hosted on Iranian servers—immune to international takedown efforts—to harvest login credentials. This group, previously indicted in the US for stealing and reselling academic research via Iranian platforms, continued operations despite legal actions. The campaign exploited lookalike domains and coincided with the academic calendar, reflecting a recurring pattern of attacks aimed at exfiltrating intellectual property and restricted academic materials for commercial gain. The use of domestic infrastructure highlighted jurisdictional challenges in mitigating threats originating from uncooperative regions.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
In October 2020, Iranian threat actors known as Silent Librarian resumed phishing campaigns targeting global universities, including Göteborg universitet, coinciding with the start of the academic year. The group, indicted by the US Department of Justice in March 2018 for attacks dating back to 2013, historically impersonated university portals and library applications through emails containing malicious links. These phishing sites, hosted on domains resembling legitimate university services, harvested victim credentials to infiltrate institutional networks. The attackers exploited stolen credentials to access and exfiltrate intellectual property, including unpublished academic research, which they monetized via Iranian-based platforms Megapaper.ir and Gigapaper.ir. Despite the 2018 indictment, the group continued operations from Iran, conducting annual campaigns documented by cybersecurity firms like Secureworks in 2018 and Proofpoint in 2019. The 2020 campaign mirrored previous tactics but introduced Iranian-hosted phishing infrastructure to evade international law enforcement takedowns.
Malwarebytes identified the 2020 attacks as distinct due to the deliberate use of domestic Iranian servers for hosting phishing pages, a shift from prior reliance on global infrastructure. This operational change exploited jurisdictional barriers preventing US or European authorities from disrupting locally hosted domains. The campaign targeted at least 14 universities worldwide, with Göteborg universitet confirmed among the victims through a published list of spoofed portals. No institutional containment measures or technical mitigations were described in available reporting. The primary impact involved credential theft enabling unauthorized access to academic research repositories, perpetuating the group’s long-standing objective of intellectual property theft for commercial resale. The incident underscored persistent challenges in deterring state-aligned threat actors operating from jurisdictions with limited law enforcement cooperation.