Threat Actor Profile Silent Librarian
Silent Librarian is an Iranian-based Advanced Persistent Threat (APT) actor that focuses on information theft in primarily Western states. The first observation of activity by the group dates back to 2013. During this campaign, they were observed to have stolen data from universities and the private sector. Their later campaigns mainly targeted universities, aiming to steal information. The attacks of Silent Librarian are characterized by sophisticated spearphishing attacks against individuals of their targeted organizations.
Request a free membership to access our full research insights
- Aliases: COBALT DICKENS, Mabna Institute, TA407, Silent Librarian, Yellow Nabu, TA4900
- Strategic motives: Information theft, Espionage
- Affiliation: Iran - Islamic Revolutionary Guard Corps (IRGC)
- Cyber capabilities: ★★☆☆☆
- Target sectors: Education, Government, Private sector
- Observed countries: Australia, Canada, China, Denmark, Germany, Hong Kong, Ireland, Israel, Italy, Japan, Malaysia, Netherlands, Norway, Poland, Republic of Korea, Singapore, South Africa, Spain, Sweden, Switzerland, Turkey, UNICEF, United Kingdom, United Nations, United States
Origins, Motivations & Targets
Attribution
It can be stated with a high degree of confidence that Silent Librarian operates on behalf of the Iranian government. This assessment is based on research of various sources providing evidence regarding the sponsorship of Silent Librarian’s operations. According to the news site and think tank Council on Foreign Relations, Silent Librarian operates on behalf of the Mabna Institute, which is an Iran-based private company acting in service of the Islamic Revolutionary Guard Corps (IRGC) to steal credentials and intellectual property for private financial gain and to be used by the IRGC.
Strategic motivations
Silent Librarian’s main strategic motivations are information theft and economic espionage. The group mainly targets educational institutions to acquire intellectual property. It appears that Silent Librarian does not focus on specific academic disciplines, but rather operates on an opportunistic basis and steals the information that they manage to access.
Hunt & Hackett’s research indicates that the focus on the academic sector is linked to sanctions related to technology and other goods in Iran. Western sanctions on Iran affect their scientific community. For example, cutting them from the international financial system makes it harder for individuals to subscribe to international academic journals. Importing western technologies is also restricted. These restrictions set a motivation for Iran to get their hands on this knowledge or technologies in other ways.
Silent Librarian was previously observed selling their stolen data on an Iranian website named Megapaper[.]ir, as well as selling access to compromised accounts via another Iranian website called Gigapaper[.]ir. This indicates that they might also pursue financial gain.
Target selection
During their campaigns Silent Librarian most often focuses on information theft or credential theft from individuals working for organizations that possess data that is potentially valuable for the group. Among the victimized institutions were many universities, being by far the most prevalent victimized organization type and therefore making the educational sector Silent Librarian’s primary target. However, in their earlier campaigns some private and government sectors were also targeted[8]. Apart from an interview in 2017 with Crane Hassold (Director of Threat Intelligence at Phishlabs at that time) in the Washington Post, in which a focus on three specific sectors is mentioned, there are no indications that Silent Librarian focuses on specific knowledge areas. This is different from some actor groups from other nations that often demonstrate a clear interest in specific knowledge areas that align with the countries’ strategic agenda.
As to the private organizations targeted in the earliest campaigns of Silent Librarian, there is no publicly available information confirming their identities. However, Iran’s targets for commercial espionage typically fall into categories that relate to their commodities industry and military technological capabilities, which indicates a possibility that these sectors were targeted by Silent Librarian as well.
Although no specific geographical pattern or profile with regards to the victimized institutions can be found, it is notable that a large proportion of the attacks occurred in Western countries. Among the reported incidents with Silent Librarian, the prevalence of victimized organizations (mainly universities) within the US is highly over-represented, compared to other countries. Next up are European countries, which are highly represented in the list of victims as well. This indicates a particular interest of the threat actor in American and European knowledge institutions. A likely explanation for this is that Western sanctions on Iran restrict access to resources, including research and technology, which consequently leads to Iranian forces attempting to, and often succeeding at stealing otherwise restricted information. For organizations to determine their targetability by Silent Librarian, they should consider the attractiveness of their research assets.
SWOT analysis
Strengths, weaknesses, opportunities & threats
Strengths
- IRCQ-backed & undeterred by criminal prosecution
- Sophisticated phishing campaigns with specific themes for each campaign
- Short attacking spans and limited direct impact on targets might hold victims back from rigorous investigations
- Relatively short time span of the attacks, so limited time for defenders to detect and respond against them
Weaknesses
- Target selection within the educational sector appears to be random and opportunistic
- Reliant on social engineering
- Unable to conduct long-term espionage activities
Opportunities
- Ongoing geopolitical conflicts in the Middle East
- Social engineering remains an attractive attacking vector because it abuses human nature
- Educational institutions have thousands of end users
Threats
- Increased attention on Iranian activity in general
- Protective controls such as MFA will have protective value
- Western states implementing legislation on mandated cybersecurity protections, applicable to educational institutions: often require MFA
- International sanctions
More detailed information about this actor?
Silent Librarian in the Netherlands
Dutch universities are not spared in Silent Librarian’s campaigns; several Dutch Universities are confirmed to have been targeted by Silent Librarian during their past campaigns, mainly in 2020. Utrecht University is mentioned in a list of Silent Librarian targets in 2020 by Malwarebytes. A list composed by Alienvault in 2019 of spoofed domains by Silent Librarian contains domains that seemingly spoof Leiden University, Utrecht University, and Twente University. According to the available data, Utrecht University and University of Twente seem to be their most targeted educational institutions within the Netherlands. Seemingly spoofed domains of University of Amsterdam, Utrecht University and University of Twente are included in a list that is related to Shadow Academy.
The University of Twente reported in 2020 that they were actively being targeted by Silent Librarian at that time. The domain they provided in a screenshot is identical to a spoofed domain that RiskIQ assessed to belong to Shadow Academy[56]. This could either indicate that Shadow Academy and Silent Librarian are related or identical, or that UT’s attribution to Silent Librarian actually should be attribution to Shadow Academy. Because the indications that are mentioned by UT are not disclosed, the relationship between the targeting of UT and the attribution to Silent Librarian or Shadow Academy remains unknown.
Trends
The TTPs of this actor typically abuse valid accounts by logging in with obtained credentials through phishing or brute force. MFA is a mitigation which has been proven effective against these types of initial access techniques and has been implemented by many organizations since 2019. As the US Cybersecurity & Infrastructure Security Agency points out, One-Time Password MFA and Mobile Push notifications with number matching are still vulnerable to phishing attacks. However circumventing MFA still requires additional attacking steps, which might change the cost-benefit balance of the usage of these techniques. The campaigns of Silent Librarian appear to have caught the attention of universities, especially around 2020. After 2020 one attribution to Silent Librarian was publicly available and one vendor noticed limited activity by the group. However, details about this campaign were not disclosed.
The international sanctions on Iran have not been lifted since the group’s last large-scale campaigns in 2020. This is therefore not considered a reason for the discontinuation of their operations. With several geopolitical developments in the Middle East and related to Iran, it might be possible that Iran has shifted its focus to more pressing events, but the exact reasons behind why almost no new observations of Silent Librarian were made after 2020, are still unknown.