Cyber Incident Victim: University of Lincoln
Date:
Oct 2020
Location:
United Kingdom
Summary
A group of Iranian state-linked hackers known as Silent Librarian targeted the University of Lincoln among other academic institutions through phishing campaigns impersonating university portals and services. The attackers deployed emails containing links to fraudulent websites hosted on Iranian servers—deliberately evading international takedown efforts—to harvest login credentials. This group, previously indicted in the US for stealing and reselling academic research via Iranian platforms, historically timed attacks to coincide with academic calendars. The compromised credentials enabled theft of intellectual property and restricted academic materials, which were monetized through illicit document sales. The incident reflects the persistent threat posed by this actor to global educational entities.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
The Silent Librarian cyber-espionage group, linked to Iranian actors and previously indicted by US authorities in March 2018 for global academic attacks since 2013, resumed operations targeting universities worldwide in October 2020. This campaign coincided with the start of the new academic year, continuing a pattern of seasonal phishing offensives documented in 2018 and 2019 by security firms Secureworks and Proofpoint respectively. Attackers deployed emails impersonating legitimate university communications, containing links to fraudulent portals mimicking institutional services like library access or course management systems. These phishing sites, hosted on domains visually resembling authentic university URLs, harvested login credentials when victims entered their authentication details. The University of Lincoln was among fourteen confirmed targets, with attackers registering deceptive domains to facilitate credential theft. Historical evidence from US indictments indicated compromised credentials enabled intellectual property theft, particularly pre-publication academic research sold through Iranian platforms Megapaper.ir and Gigapaper.ir.
The 2020 campaign diverged from prior operations through the group’s use of Iranian-hosted infrastructure for phishing sites, a tactical shift attributed to evasion of international law enforcement takedowns due to geopolitical constraints. Malwarebytes identified this hosting choice as a deliberate bulletproofing measure, exploiting jurisdictional barriers between Western authorities and Iranian regulators. No specific breach disclosures or containment actions by the University of Lincoln were detailed in available reporting, though the campaign’s broad targeting suggested credential compromise risks requiring institutional review of authentication logs and phishing reports. The group’s sustained activity despite indictments demonstrated operational resilience, with attacks systematically timed to exploit academic calendar transitions when university communities expect service-related communications. Historical data theft patterns implied potential long-term risks of academic espionage and unauthorized access to proprietary research repositories through compromised accounts.