Cyber Incident Victim: Western University
Date:
Oct 2020
Location:
Canada
Summary
A group of Iranian state-linked hackers known as Silent Librarian conducted a phishing campaign targeting academic institutions, including Western University Canada, by impersonating university portals and library services through fraudulent emails and lookalike domains. The attackers harvested login credentials to steal intellectual property and restricted academic research, subsequently selling the materials via Iranian-operated platforms. This campaign marked a tactical shift by hosting phishing infrastructure within Iran to evade international law enforcement takedowns, leveraging geopolitical barriers to maintain operational persistence. The group has a documented history of seasonal attacks coinciding with academic calendars and previously faced U.S. indictments for similar global campaigns targeting university systems.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
In October 2020, Iranian state-sponsored hackers known as Silent Librarian resumed their annual phishing campaigns targeting academic institutions, including Western University Canada, coinciding with the start of the new school year. The group, active since at least 2013 and indicted by the U.S. Department of Justice in March 2018 for intellectual property theft, employed emails impersonating university portals or associated services like library applications. These messages directed recipients to fraudulent websites hosted on domains designed to mimic legitimate university URLs, where credentials were harvested. The attackers historically sold stolen academic research and proprietary data through Iranian-based platforms Megapaper.ir and Gigapaper.ir, monetizing unauthorized access to university systems. Despite the 2018 indictment, the group operated with impunity from Iran, launching seasonal attacks each fall documented by cybersecurity firms like Secureworks in 2018 and Proofpoint in 2019. The 2020 campaign differed by hosting phishing infrastructure on Iranian servers, a tactical shift exploiting the absence of international law enforcement cooperation to prevent takedowns. Malwarebytes identified Western University Canada among 14 global targets, though specific compromise metrics or data exfiltration volumes were not disclosed. The operation relied on social engineering to bypass technical defenses, leveraging the heightened activity of academic cycles to increase phishing success rates.
The incident impacted Western University Canada through the potential compromise of faculty, student, and staff credentials, creating risks of academic research theft and unauthorized access to restricted university resources. Silent Librarian’s objective centered on stealing unpublished scholarly work, proprietary datasets, and intellectual property for commercial redistribution via their platforms. No institutional containment measures or remediation actions by Western University Canada were detailed in available reporting, though Malwarebytes publicized the phishing domains to enable retrospective email reviews by potential victims. The attackers’ use of geographically insulated infrastructure highlighted challenges in mitigating threats originating from jurisdictions resistant to cross-border legal collaboration. Historical context indicated persistent financial and operational motivations behind the group’s campaigns, with stolen materials likely sold to subsidize their activities. The 2020 attacks underscored the ongoing vulnerability of academic institutions to credential harvesting, particularly during periods of administrative transition like semester beginnings. Malwarebytes’ disclosure provided actionable indicators of compromise but did not reference involvement by law enforcement or incident response teams specific to Western University Canada.