Cyber Incident Victim: Queen Mary University of London
Date:
Oct 2020
Location:
United Kingdom
Summary
Iranian state-linked hackers known as Silent Librarian targeted academic institutions with phishing campaigns, deploying fraudulent login pages hosted on Iranian servers to evade takedowns. The attackers stole credentials to infiltrate university portals, exfiltrating intellectual property and unpublished academic research for resale through illicit platforms. This group, previously indicted in the US, continued operations despite legal actions, adapting tactics to leverage jurisdictional barriers.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
In October 2020, the Iranian threat group known as Silent Librarian resumed its annual campaign of cyberattacks targeting global academic institutions, coinciding with the start of the new school year. The group deployed phishing emails impersonating university portals and associated applications such as library services. These emails contained links to fraudulent websites hosted on domains designed to mimic legitimate university URLs, with the sole purpose of harvesting login credentials. Unlike previous campaigns, the attackers hosted some phishing infrastructure on servers located within Iran, a strategic shift intended to evade international law enforcement takedown efforts due to the lack of judicial cooperation between Iran and Western nations. Security firm Malwarebytes documented this activity, noting the group’s continuity in tactics despite prior exposure. The campaign impacted multiple universities, though specific institutional breaches beyond the general targeting methodology were not publicly disclosed in available reporting. Historical context indicates these attacks consistently aimed to steal intellectual property and pre-publication academic research, which the group monetized through Iranian-based portals like Megapaper.ir and Gigapaper.ir.
Silent Librarian’s operations dated back to at least 2013, with the US Department of Justice indicting several members in March 2018 for systematic attacks against universities worldwide. Despite these indictments, the group remained active from Iran, conducting seasonal phishing campaigns each fall. The 2020 attacks mirrored earlier patterns observed in 2018 and 2019, as documented by Secureworks and Proofpoint, but marked a technical evolution through the use of domestic infrastructure to hinder disruption. Malwarebytes identified 14 distinct phishing domains impersonating legitimate university services during this campaign, though it did not specify whether all targeted institutions suffered confirmed compromises. The primary impact centered on credential theft enabling unauthorized access to academic portals containing proprietary research and scholarly materials. No institutional remediation efforts or technical countermeasures were detailed in the available source material, though security researchers emphasized the importance of scrutinizing suspicious emails to mitigate risks. The group’s persistence underscored challenges in deterring state-aligned threat actors operating from jurisdictions resistant to international legal cooperation.