Cyber Incident Victim: Universiteit Utrecht
Date:
Oct 2020
Location:
Netherlands
Summary
A group of Iranian state-linked hackers known as Silent Librarian targeted Universiteit Utrecht and other academic institutions with phishing campaigns, deploying emails impersonating university portals to harvest login credentials. The attackers hosted fraudulent sites on Iranian infrastructure to evade takedowns, exploiting limited international law enforcement cooperation. This group historically stole intellectual property and unpublished academic research, reselling it through illicit platforms. Despite prior US indictments, the hackers continued annual operations timed with academic calendars, shifting tactics to leverage domestically hosted servers for increased resilience against disruption. The campaign aimed to compromise institutional accounts for unauthorized access to restricted academic materials.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
In October 2020, Iranian state-sponsored hackers known as Silent Librarian resumed their annual phishing campaigns targeting global academic institutions, including Universiteit Utrecht, coinciding with the start of the new school year. The attackers sent emails impersonating university portals or associated services like library applications, directing victims to fraudulent websites hosted on domains designed to mimic legitimate university URLs. These phishing sites harvested login credentials, enabling unauthorized access to institutional systems. Security firm Malwarebytes attributed the campaign to Silent Librarian, a group historically active since at least 2013 and previously indicted by the U.S. Department of Justice in March 2018 for systematically stealing intellectual property and unpublished academic research from over 100 universities worldwide. The stolen materials were monetized through Iranian-based platforms Megapaper.ir and Gigapaper.ir. Unlike prior campaigns, the 2020 operation utilized phishing infrastructure hosted on Iranian servers, a tactical shift intended to evade international law enforcement takedowns due to jurisdictional barriers.
The incident impacted multiple universities listed in Malwarebytes’ report, with compromised credentials potentially exposing sensitive research data and institutional systems. Silent Librarian’s persistent operations despite U.S. indictments highlighted the group’s resilience, attributed to its members operating from Iran beyond extradition reach. Previous campaigns in 2018 and 2019 were documented by Secureworks and Proofpoint, respectively, but the 2020 attacks marked a notable escalation in operational security through localized hosting. No specific mitigation actions by Universiteit Utrecht were detailed in public reports, though Malwarebytes disclosed phishing domains to aid retrospective email reviews by affected institutions. The campaign underscored ongoing threats to academic research integrity, with attackers exploiting seasonal academic cycles and institutional trust in digital services. Consequences included potential long-term risks of academic espionage and unauthorized data resale, compounded by the absence of effective cross-border legal recourse against state-aligned threat actors.