Cyber Incident Victim: Stony Brook University
Date:
Oct 2020
Location:
United States of America
Summary
A university was targeted in a phishing campaign by Iranian state-linked threat actors known as Silent Librarian, who deployed emails impersonating legitimate portals to harvest credentials. The attackers hosted fraudulent domains on Iranian infrastructure to evade takedowns, leveraging compromised logins to steal academic research and intellectual property for resale through illicit platforms. This activity represented a continuation of the group's operations despite prior indictments, focusing on harvesting sensitive scholarly materials through persistent credential theft.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
In October 2020, security researchers identified a renewed phishing campaign by the Iranian threat group Silent Librarian targeting universities globally, including Stony Brook University. The attacks coincided with the start of the academic year, a pattern consistent with the group's operations since at least 2013. Attackers sent emails impersonating university portals or affiliated services like library systems, directing recipients to fraudulent login pages hosted on domains designed to mimic legitimate university websites. For Stony Brook University, the phishing domain "stonybrookuniversity[.]ir" impersonated the institution's SOLAR student administration system. These domains, registered in Iran, were intentionally resistant to takedown efforts due to limited international law enforcement cooperation. The campaign represented a tactical shift, as Silent Librarian historically used infrastructure outside Iran but now leveraged domestic hosting to evade disruption.
The attacks aimed to harvest credentials to infiltrate university networks and steal intellectual property, including unpublished academic research and proprietary data, which the group historically sold through Iranian platforms like Megapaper.ir. While the full impact on Stony Brook University was not publicly quantified, the group's prior activities resulted in the theft of "scientific articles and other academic materials" worth over $3.4 million from global victims, as documented in a 2018 U.S. Department of Justice indictment against nine Iranian nationals linked to Silent Librarian. Despite this indictment, the group continued operations unabated from Iran. Malwarebytes disclosed the campaign to enable institutions to review potentially malicious emails but noted no coordinated technical response or containment measures by affected universities. The incident underscored persistent vulnerabilities in academic institutions to credential harvesting and the challenges of prosecuting threat actors sheltered by geopolitical boundaries.