Cyber Incident Victim: Glasgow Caledonian University
Date:
Oct 2020
Location:
United Kingdom
Summary
A university was targeted in a phishing campaign by Iranian state-linked hackers known as Silent Librarian, who impersonated legitimate portals to steal credentials. The attackers historically sold stolen academic materials through their own platforms and hosted recent operations on Iranian servers to evade takedowns, exploiting limited law enforcement cooperation.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
In October 2020, Iranian threat actors known as Silent Librarian resumed their annual phishing campaigns targeting global academic institutions, including Glasgow Caledonian University. The group, indicted by the US Department of Justice in March 2018 for attacks dating back to 2013, historically launched operations each fall coinciding with the start of the academic year. Their 2020 campaign involved emails impersonating university portals or affiliated services like library systems, directing recipients to fraudulent login pages hosted on domains designed to mimic legitimate university websites. These phishing sites harvested institutional credentials, enabling unauthorized access to academic portals containing intellectual property and pre-publication research materials. Silent Librarian had previously monetized stolen data through Iranian-based platforms Megapaper.ir and Gigapaper.ir, which sold illicitly obtained scholarly works. Despite the 2018 indictment, the group continued operating from Iran with impunity, leveraging the absence of extradition agreements and limited international law enforcement cooperation.
The 2020 attacks featured a strategic shift with Silent Librarian hosting phishing infrastructure on Iranian servers, complicating takedown efforts by Western authorities. Security firm Malwarebytes documented this operational change, noting the group exploited geopolitical barriers to create bulletproof hosting conditions. Glasgow Caledonian University was explicitly named among fourteen global targets, with attackers registering the domain "glasgowcaledonian.iranian-cc[.]ir" to impersonate the legitimate "glasgowcaledonian.ac.uk" web presence. The campaign's timing aligned with academic calendars to maximize credential theft opportunities as students and faculty returned to campus activities. While the scale of compromised accounts at Glasgow Caledonian remained unspecified, historical patterns indicated objectives centered on exfiltrating restricted research materials for commercial resale. No institutional containment measures or incident response details were disclosed in available reporting. The operation exemplified persistent state-aligned threats to academic research infrastructure, exploiting jurisdictional limitations to evade prosecution despite public attribution and criminal charges.