Cyber Incident Victim: La Trobe University
Date:
Oct 2020
Location:
Australia
Summary
A cyber incident targeting La Trobe University involved Iranian state-linked threat actors known as Silent Librarian conducting phishing campaigns impersonating university portals and associated services. The attackers deployed emails containing links to fraudulent websites hosted on Iranian infrastructure, designed to harvest login credentials and facilitate intellectual property theft for resale on illicit platforms. This group, previously indicted for similar global academic attacks, shifted tactics by leveraging domestically hosted servers to evade international law enforcement takedowns, exploiting geopolitical barriers to cooperation. The campaign aimed to compromise academic accounts and steal restricted research materials as part of a broader seasonal pattern of attacks coinciding with the start of the school year.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
In October 2020, Iranian state-sponsored hackers known as Silent Librarian resumed targeted phishing campaigns against global universities coinciding with the start of the academic year. This group, active since at least 2013 and indicted by the US Department of Justice in March 2018 for intellectual property theft, historically attacked educational institutions each fall. Their 2020 campaign involved emails impersonating university portals or affiliated services like library systems, directing victims to fraudulent login pages hosted on domains resembling legitimate university websites. These phishing sites harvested credentials to compromise institutional accounts. Unlike previous operations that relied on internationally hosted infrastructure vulnerable to takedowns, the 2020 attacks leveraged Iranian servers to evade law enforcement intervention due to limited cross-border cooperation. Security firm Malwarebytes attributed the campaign to Silent Librarian based on consistent tactics, infrastructure patterns, and historical activity timelines.
The attackers sought unauthorized access to academic research portals and preprint repositories containing proprietary intellectual property. According to US indictments, stolen materials were monetized through Iranian-based platforms Megapaper.ir and Gigapaper.ir, which sold illicitly obtained scholarly articles. The 2020 campaign impacted at least 14 universities globally, though specific institutional remediation efforts were not detailed in public reporting. Malwarebytes published the associated phishing domains to enable retrospective email log reviews by potential victims. No data theft volumes or financial losses were quantified. The group’s continued operations despite prior exposure highlighted jurisdictional challenges in prosecuting threat actors shielded by hostile nations. Technical defenses relied on external threat intelligence sharing, as the attacks were detected through vendor analysis of phishing infrastructure rather than victim disclosures.