Silent Librarian is a group that has targeted research and proprietary data at universities, government agencies, and private sector companies worldwide since at least 2013. Members of Silent Librarian are known to have been affiliated with the Iran-based Mabna Institute which has conducted cyber intrusions at the behest of the government of Iran, specifically the Islamic Revolutionary Guard Corps (IRGC).
Associated Group Descriptions
|Enterprise||T1583||.001||Acquire Infrastructure: Domains|
|Enterprise||T1110||.003||Brute Force: Password Spraying|
|.003||Email Forwarding Rule|
|Enterprise||T1585||.002||Establish Accounts: Email Accounts|
|Enterprise||T1589||.003||Gather Victim Identity Information: Employee Names|
|.002||Gather Victim Identity Information: Email Addresses|
|Enterprise||T1588||.004||Obtain Capabilities: Digital Certificates|
|.002||Obtain Capabilities: Tool|
|Enterprise||T1598||.003||Phishing for Information: Spearphishing Link|
|Enterprise||T1594||Search Victim-Owned Websites||
Silent Librarian has searched victim's websites to identify the interests and academic areas of targeted individuals and to scrape source code, branding, and organizational contact information for phishing pages.
|Enterprise||T1608||.005||Stage Capabilities: Link Target||
Silent Librarian has cloned victim organization login pages and staged them for later use in credential harvesting campaigns. Silent Librarian has also made use of a variety of URL shorteners for these staged websites.
- DOJ. (2018, March 23). U.S. v. Rafatnejad et al . Retrieved February 3, 2021.
- Hassold, Crane. (2018, March 26). Silent Librarian: More to the Story of the Iranian Mabna Institute Indictment. Retrieved February 3, 2021.
- Malwarebytes Threat Intelligence Team. (2020, October 14). Silent Librarian APT right on schedule for 20/21 academic year. Retrieved February 3, 2021.
- Proofpoint Threat Insight Team. (2019, September 5). Threat Actor Profile: TA407, the Silent Librarian. Retrieved February 3, 2021.
- Counter Threat Unit Research Team. (2018, August 24). Back to School: COBALT DICKENS Targets Universities. Retrieved February 3, 2021.
- Counter Threat Unit Research Team. (2019, September 11). COBALT DICKENS Goes Back to School…Again. Retrieved February 3, 2021.