Cyber Incident Victim: University of Bristol
Date:
Oct 2020
Location:
United Kingdom
Summary
A group of Iranian state-linked hackers known as Silent Librarian conducted phishing campaigns targeting academic institutions, including the University of Bristol, by impersonating university portals and library services through fraudulent emails and lookalike domains. The attackers harvested login credentials to steal intellectual property and restricted academic materials, later reselling them via Iranian-based platforms. Unlike previous operations, this campaign utilized Iranian-hosted phishing infrastructure to evade international law enforcement takedowns, exploiting limited cross-border cooperation. The group, previously indicted in the US for similar global attacks dating back to 2013, resumed activities coinciding with the academic calendar, focusing on credential theft and unauthorized access to proprietary research.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
In October 2020, Iranian state-sponsored hackers known as Silent Librarian resumed a recurring campaign of cyberattacks targeting global universities, including the University of Bristol. The group deployed phishing emails impersonating legitimate university portals and associated services such as library applications. These emails directed recipients to fraudulent websites hosted on domains designed to mimic authentic university URLs, where victims’ login credentials were harvested. Security firm Malwarebytes attributed the attacks to Silent Librarian, a group historically active since 2013 and indicted by the US Department of Justice in March 2018 for systematically stealing academic research and intellectual property. The hackers monetized stolen materials through Iranian-based platforms Megapaper.ir and Gigapaper.ir, selling proprietary academic works. Unlike prior campaigns, the 2020 operation utilized phishing infrastructure hosted on Iranian servers, rendering takedown efforts by Western law enforcement ineffective due to jurisdictional barriers. The attacks coincided with the start of the academic year, a pattern consistent with the group’s 2018 and 2019 campaigns documented by Secureworks and Proofpoint.
The University of Bristol was among 14 institutions explicitly named as targets in the 2020 campaign, with attackers registering deceptive domains to impersonate its services. While the article did not specify whether Bristol suffered confirmed data breaches, Silent Librarian’s established tactics aimed to compromise university portals to exfiltrate unpublished research and restricted academic resources. The group’s operations caused systemic risks to intellectual property integrity across the education sector, with stolen materials repurposed for commercial gain. No institutional remediation efforts by Bristol were detailed in the source material. The US indictments highlighted the group’s persistent evasion of legal consequences, operating from Iran with impunity despite international charges. The shift to Iranian hosting in 2020 demonstrated an adaptation to preserve operational continuity against countermeasures, underscoring the campaign’s resilience and the challenges of cross-border cybercrime enforcement.