Cyber Incident Victim: McGill University
Date:
Oct 2020
Location:
Canada
Summary
A group of Iranian state-linked hackers known as Silent Librarian conducted phishing campaigns against academic institutions, including McGill University, by impersonating legitimate university portals and services to steal login credentials. The attackers hosted phishing infrastructure on Iranian servers to evade international law enforcement takedowns, leveraging stolen credentials to access and resell intellectual property and restricted academic materials through illicit platforms. This activity represented a continuation of the group's long-standing operations targeting global universities, with campaigns typically timed around academic calendars to maximize credential harvesting opportunities.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
In October 2020, cybersecurity firm Malwarebytes identified a resurgence of phishing campaigns targeting universities globally, including McGill University, orchestrated by the Iranian threat group Silent Librarian. The attacks coincided with the start of the academic year, a pattern consistent with the group’s operations since at least 2013. Attackers sent emails impersonating university portals or affiliated services like library applications, directing recipients to fraudulent login pages hosted on domains designed to mimic legitimate university websites. These phishing sites harvested user credentials, enabling unauthorized access to institutional systems. Unlike prior campaigns, the 2020 operation utilized servers hosted in Iran, which complicated takedown efforts due to limited international law enforcement cooperation. Silent Librarian, indicted by the U.S. Department of Justice in 2018 for intellectual property theft spanning hundreds of universities, remained active despite legal actions, continuing to target academic institutions from its base in Iran. The group’s infrastructure included lookalike domains tailored to each target, with McGill University among the 14 institutions explicitly named in Malwarebytes’ report alongside the associated phishing URLs.
The attacks aimed to compromise university accounts to steal academic research, proprietary data, and limited-release publications, which the group historically sold through Iranian-based platforms like Megapaper.ir and Gigapaper.ir. Credential theft exposed affected institutions to data breaches, intellectual property loss, and potential downstream attacks leveraging compromised accounts. The hosting of phishing infrastructure within Iran rendered conventional remediation measures ineffective, as local authorities did not cooperate with foreign takedown requests. Historical evidence from Secureworks and Proofpoint indicated Silent Librarian consistently timed campaigns to exploit periods of high academic activity, such as enrollment or exam cycles. While the 2020 campaign’s direct impact on McGill University was not quantified in public reports, the group’s prior activities demonstrated systematic extraction and monetization of stolen academic materials. No public disclosures detailed McGill-specific containment or remediation actions, though the broader campaign’s exposure by Malwarebytes provided targeted institutions with indicators of compromise for retrospective analysis. Silent Librarian’s uninterrupted operations underscored the challenges of deterring state-aligned threat actors shielded by jurisdictional boundaries.