Cyber Incident Victim: University of Kent
Date:
Oct 2020
Location:
Iran
Summary
Iranian state-linked threat actors known as Silent Librarian targeted a UK university among other global academic institutions through a renewed phishing campaign, deploying fraudulent login pages mimicking legitimate university portals to harvest credentials. The attackers, previously indicted in the US for systematically stealing and reselling academic research, hosted phishing infrastructure on Iranian servers to evade international law enforcement takedowns. This campaign aimed to compromise institutional accounts to access and exfiltrate intellectual property and restricted academic materials for commercial exploitation.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
In October 2020, the Iranian threat group known as Silent Librarian resumed its annual phishing campaign targeting global academic institutions, including the University of Kent, coinciding with the start of the new school year. The attackers deployed emails impersonating university portals or affiliated services like library systems, directing recipients to fraudulent login pages hosted on domains designed to mimic legitimate university websites. These phishing sites, hosted on Iranian infrastructure to evade international law enforcement takedowns, harvested victims' credentials for subsequent exploitation. Security firm Malwarebytes attributed the campaign to Silent Librarian based on infrastructure patterns and historical tactics, noting this group had operated since at least 2013 and faced US indictments in March 2018 for intellectual property theft. Despite the indictments, the group continued attacks from Iran, leveraging bulletproof hosting due to limited cooperation between Western authorities and Iranian law enforcement. The 2020 campaign marked a strategic shift by hosting phishing infrastructure within Iran itself, contrasting with prior operations that relied on global servers vulnerable to disruption.
The attacks compromised university credentials, enabling unauthorized access to academic portals containing proprietary research and pre-publication materials. Silent Librarian historically monetized stolen data through Iranian platforms Megapaper.ir and Gigapaper.ir, which sold illicitly obtained scholarly works. While the article did not specify remediation steps taken by the University of Kent, Malwarebytes published a list of phishing domains and spoofed institutions to assist potential victims in identifying malicious emails. The campaign's timing followed a recurring pattern of autumn attacks documented by Secureworks in 2018 and Proofpoint in 2019, underscoring the group's persistence despite public exposure and legal actions. No data regarding containment measures or specific financial or operational impacts on the University of Kent was disclosed in the source material. The incident highlighted ongoing challenges in deterring state-aligned threat actors operating from jurisdictions with limited international legal collaboration.