Cyber Incident Victim: University of Adelaide Library
Date:
Oct 2020
Location:
Australia
Summary
Iranian state-linked hackers known as Silent Librarian conducted a phishing campaign targeting the University of Adelaide Library and other academic institutions, deploying emails containing links to fraudulent university portals and library applications. These phishing sites, hosted on Iranian servers to evade international takedowns, harvested victims' login credentials through lookalike domains. The group historically stole intellectual property and restricted academic materials from compromised university systems, later reselling the content on their own platforms. This activity represented a continuation of their seasonal attacks coinciding with academic calendars, though the 2020 campaign notably leveraged domestic infrastructure to exploit jurisdictional barriers in law enforcement cooperation.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
In October 2020, Iranian state-sponsored hackers known as Silent Librarian resumed a recurring campaign of phishing attacks targeting global academic institutions, including the University of Adelaide Library. The attacks coincided with the start of the academic year, following a pattern established since at least 2013. The group sent emails impersonating university portals or library applications, directing victims to fraudulent login pages hosted on domains designed to mimic legitimate university websites. These phishing sites harvested user credentials, enabling unauthorized access to institutional systems. Security firm Malwarebytes attributed the campaign to Silent Librarian, noting the hackers' infrastructure shift to Iranian-hosted servers—a tactical change from previous operations—to evade international law enforcement takedowns due to geopolitical constraints. The group had previously been indicted by the U.S. Department of Justice in March 2018 for systematically stealing intellectual property and proprietary academic research from over 100 universities worldwide, though members remained active in Iran.
The 2020 attacks focused on harvesting credentials to infiltrate university networks and exfiltrate unpublished academic works, research data, and intellectual property. Stolen materials were monetized through Iranian-based portals Megapaper.ir and Gigapaper.ir, which sold the content to third parties. Malwarebytes documented the campaign but did not specify containment measures taken by affected institutions. Historical analysis by Secureworks and Proofpoint showed Silent Librarian consistently timed operations to academic calendars, exploiting periods of heightened institutional activity. The shift to Iranian hosting infrastructure demonstrated operational adaptation to preserve attack continuity despite prior exposure. No data regarding specific compromises at the University of Adelaide Library was disclosed in public reporting, though the campaign's broad targeting of academic libraries placed it within the threat landscape. The incident underscored persistent threats to academic research integrity and the challenges of mitigating state-aligned cyber operations shielded by jurisdictional boundaries.