Cyber Incident Victim: Technische Hochschule Mittelhessen
Date:
Oct 2020
Location:
Germany
Summary
Iranian state-linked threat actors known as Silent Librarian targeted TH Mittelhessen University of Applied Sciences and other academic institutions through a renewed phishing campaign, deploying emails impersonating university portals and library services to harvest credentials. The attackers employed Iranian-hosted infrastructure to evade international law enforcement takedowns, a tactical shift from previous operations. This group historically compromised academic systems to steal and monetize intellectual property, including proprietary research and pre-publication materials, reselling them through Iranian platforms. Despite prior US indictments against the hackers, the group continued operations with seasonal attacks timed to academic calendars, leveraging geopolitical barriers to prosecution.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
In October 2020, Iranian threat actors known as Silent Librarian resumed phishing campaigns targeting academic institutions globally, continuing a pattern of annual attacks timed with the start of the school year. The group deployed emails impersonating university portals or associated services like library applications, directing recipients to fraudulent login pages hosted on domains designed to mimic legitimate university websites. These phishing sites harvested credentials, enabling unauthorized access to institutional systems. Security firm Malwarebytes attributed the campaign to Silent Librarian based on infrastructure overlaps and historical tactics, noting the group’s operational continuity despite a 2018 US indictment against its members for intellectual property theft spanning back to 2013. The attackers exploited compromised credentials to steal restricted academic research and proprietary data, which they monetized through Iranian-based platforms Megapaper.ir and Gigapaper.ir.
The 2020 campaign diverged from prior operations through its use of Iranian-hosted phishing infrastructure, complicating takedown efforts due to limited international law enforcement cooperation. Malwarebytes documented 14 impersonated universities, though specific impacts on individual institutions like TH Mittelhessen University of Applied Sciences were not detailed in public reports. The attacks underscored persistent threats to academic research security, with attackers leveraging predictable seasonal patterns and trusted communication channels. No institutional remediation efforts were described, but the disclosure enabled targeted universities to audit potential credential exposures. Silent Librarian’s uninterrupted activity highlighted challenges in deterring state-aligned threat groups operating from jurisdictions resistant to extradition or cross-border legal action.