September means schools and universities are again open, and business is soaring high for the well-known threat actors – Silent Librarian. Also, popularly known as Cobalt Dickens or TA407, they are a notorious group of adversaries in circulation targeting educational institutions to steal research and propriety data.
When cybercriminals target schools and universities, there is plenty of data exfiltrated or taken advantage of by cybercriminals. These data can make bank for cybercriminals because personally identifiable information (PII) can give threat actors a considerable advantage and an increased success in their schemes when used creatively for social engineering. Universities that are targeted are those that are affiliated to the US and other Western–based schools. But based on the pattern and the potential of breaching databases of universities, cybercriminals may indiscriminately target those schools that are not affiliated with their “sponsors.”
Data were being sold off by the Silent Librarian to Iran, which gave birth to suspicions that there is a possibility that this is a government-back adversary.
This is to the reason that the educational institutions are always their primary target as it holds vast sensitive information of not only individuals but also research investment that could cost millions to billion worth.
Despite the ongoing pandemic, these threat actors have been spotted active again since the schools’ and universities’ opening. But this time, they are not just focused on institutions in the United States and Europe, as evidence shows that their operation has reached far more than another region worldwide. With the same goal but with a greater magnitude of coverage and stealthily approach.
The research confirmed that the group is now using the Webhost Cloudflare to hide their sourced hosting provider tactically to avoid immediate removal or takedown before doing their malicious activity. Rumors spread that they also registered their fraud websites to some hosting company available on their origin – Iran.
Notably, they penetrate the victim’s system through spear–phishing email containing link redirection to their controlled domain or mimicry websites. Emails sent out contain fake notification to the intended victim that either blocks their library access or set it to near expiration to require them to update their credentials. After updating the credentials, the victims are lured into clicking links wherein adversaries can capture the victim’s credentials, run malicious codes, and compromise the device for their hideous perusal of its stored information. Unknowingly, the victim is redirected to their official institution portal’s mimicry website to provide their credentials details.
Historically back in 2018, the United States Department of Justice has indicted nine Iranian Nationals believed to be part of the Silent Librarian group as pieces of evidence point them on the stolen research and proprietary information. For the school year 2019, researchers have confirmed that they have reached a worth of billions from hacked accounts and compromised intellectual property rights from staff and students who have fallen victims from almost 8000 educational institutions worldwide.
The in-depth investigation confirmed that the threat actors are still using the same methodology with new top-level domains. A group of Cybersecurity experts has already performed mitigated plans. As such, they were able to have successfully taken down a few fake websites and posted Indicators of Compromise (IOCs) for awareness of cybercommunity.