>samit_hota
Back to adversary profiles
G0122HighActive

Silent Librarian: Iran's Relentless Academic Espionage Arm

Samit Hota·
Suspected Origin
Iran
Motivation
Espionage, Intellectual Property Theft, Financial Gain
Aliases
TA407, COBALT DICKENS
Target Sectors
Education, Government, Private Sector
Associated Malware
SingleFile, HTTrack, Unspecified (commodity tools)
#threat-actor#g0122

Overview

Silent Librarian, tracked by MITRE ATT&CK as G0122 and known by aliases such as TA407 and COBALT DICKENS, is an Iranian state-sponsored advanced persistent threat (APT) group. Operating since at least 2013, the group is firmly attributed to the Mabna Institute, a private company in Iran that conducts cyber intrusions at the directive of the Iranian government, specifically the Islamic Revolutionary Guard Corps (IRGC).

The primary motivation behind Silent Librarian’s relentless campaigns is intellectual property theft and economic espionage. This directive stems from Western sanctions against Iran, which significantly restrict the country’s access to international academic journals, advanced research, and Western technologies. By compromising academic and research institutions globally, Silent Librarian aims to bypass these restrictions, illicitly acquiring valuable scientific, technical, medical, and defense-related research. Beyond state-sponsored espionage, the group also demonstrates a clear financial motive, having been observed selling stolen academic data and access to compromised accounts on Iranian underground websites such as Megapaper[.]ir, Gigapaper[.]ir, and Uniaccount[.]ir.

Silent Librarian’s targeting strategy is broad but concentrated. Their primary victims are universities and academic institutions worldwide, with a particular focus on prominent research, technical, and medical universities that possess a wealth of intellectual property. They do not appear to target specific academic disciplines but rather opportunistically exploit any accessible valuable information. While educational institutions remain their most prevalent victim type, earlier campaigns also targeted private sector companies and government agencies. Geographically, their operations span the globe, with a heavy emphasis on Western nations including the United States, Canada, the United Kingdom, and Australia. They have also impacted institutions in Europe, Asia, and international organizations such as UNICEF and the United Nations.

Tactics & Techniques

Silent Librarian’s operational methodology relies almost exclusively on highly sophisticated social engineering and credential harvesting through spear phishing, making it a persistent and effective threat. They do not typically employ complex malware but instead master the art of deception.

Their campaigns begin with meticulous reconnaissance, where they scrape target university websites to gather information on branding, email formats, library portal designs, and even the academic interests of potential victims. This intelligence allows them to craft exceptionally convincing phishing emails. These lures are contextually accurate, grammatically correct, and appear authentic, often spoofing legitimate university email addresses to create an illusion of internal communication.

The phishing emails are meticulously designed around library-themed narratives, such as “Renewal of loaned items,” “Overdue notice on loaned items,” or “Library Services.” These subject lines are crafted to induce a sense of urgency or routine action without triggering immediate suspicion, making recipients more likely to click. They often exploit seasonal events, such as the start of the academic year (“back to school chaos”), or even localized incidents like publicized downtime or weather alerts, to lend further credibility to their phishing attempts.

Upon clicking a malicious link, victims are redirected to credential harvesting pages that are near-perfect replicas of legitimate university library, student, or faculty login portals. To enhance the perceived legitimacy, Silent Librarian frequently registers lookalike domains using free top-level domains (TLDs) such as .TK, .ML, .GA, .CF, and .GQ. They also obtain free Let’s Encrypt SSL certificates for these malicious sites, ensuring the presence of a padlock icon in the browser, which many users mistakenly interpret as a guarantee of security. URL shorteners are also commonly employed to obscure the true destination of the malicious links.

Once credentials are stolen, Silent Librarian actors quickly pivot to their objectives. They access academic research databases to download proprietary research papers, exfiltrate entire email mailboxes, and establish email forwarding rules to continuously siphon off sensitive communications to attacker-controlled accounts. Compromised accounts are also weaponized for lateral movement, being used as new origins for further phishing campaigns against other institutions, effectively expanding their victim pool. In some instances, the group has been observed employing password spraying techniques against private sector targets, using collected email lists and names.

Notable Campaigns

Silent Librarian’s operational history is marked by consistent activity since 2013. Their resilience is particularly noteworthy, as legal actions have largely failed to deter them.

One of their most significant campaigns spanned from 2013 to at least December 2017. During this period, the group successfully compromised over 140 U.S. universities, 30 U.S. companies, five U.S. government agencies, and 176 universities across 21 other countries. This massive operation resulted in the theft of more than 31 terabytes of academic data and intellectual property, with an estimated cost of approximately $3.4 billion.

In March 2018, the U.S. Department of Justice indicted nine Iranian nationals associated with the Mabna Institute for their involvement in these cyber theft campaigns. Despite the indictments, which named and shamed key actors, Silent Librarian was undeterred. Security researchers observed a continuation of their activities almost immediately, sometimes referred to as the “Undeterred Librarians” campaign, which further targeted universities globally. For instance, in August 2018, they were found spoofing login pages for university libraries across 76 universities in 14 countries.

Throughout 2019, Proofpoint and Secureworks reported ongoing phishing campaigns by Silent Librarian, particularly around the beginning of academic terms (June to October), indicating a seasonal operational pattern. These campaigns consistently leveraged library access lures and sophisticated credential harvesting pages. Secureworks specifically tracked a campaign between July and August 2019 that targeted over 60 universities across four continents.

Activity continued into 2020, with Malwarebytes observing new spear-phishing campaigns that expanded Silent Librarian’s target list and demonstrated an evolution in their infrastructure. During this period, the group notably began using Cloudflare for many of their phishing hostnames, likely to conceal the true origin of their sites, many of which were hosted in Iran, complicating takedown efforts due to limited international cooperation.

Associated Malware & Tools

Silent Librarian’s operational success stems not from highly sophisticated, custom malware, but from their masterful application of social engineering and widely available, commodity tools. Their infrastructure is characterized by its disposable and cost-effective nature.

For cloning legitimate login pages, the group extensively utilizes free and publicly available web scraping tools such as SingleFile and HTTrack. These tools enable them to quickly and accurately replicate university library and portal login interfaces, making their phishing pages virtually indistinguishable from the real ones.

Their choice of domain registration services reflects a similar strategy. They frequently acquire domains using free top-level domains (TLDs) provided by services like Freenom, specifically .TK, .ML, .GA, .CF, and .GQ. This allows them to generate numerous lookalike domains that closely mimic legitimate university URLs at minimal cost. To further legitimize these fake login pages, they routinely obtain free SSL certificates from services like Let’s Encrypt. This ensures the phishing sites display “https://” and a padlock icon, leveraging users’ trust in these visual cues for security.

While not strictly malware, the group also makes extensive use of URL shorteners to obfuscate the true destination of their malicious links within phishing emails. More recently, Silent Librarian has incorporated services like Cloudflare into their infrastructure to hide the actual hosting locations of their phishing sites, a tactic that complicates efforts by security researchers and law enforcement to track and dismantle their operations.

Current Status

Silent Librarian remains an active and persistent threat. Despite U.S. Department of Justice indictments in 2018, the group was not deterred and continued its operations unabated. Security researchers have continuously tracked their activity through 2019 and 2020, with some sources indicating that their infrastructure continues to be monitored as recently as 2024.

Their consistent methodology and state-sponsored backing suggest that Silent Librarian will likely continue to target academic and research institutions globally, particularly during periods of high user activity like the beginning of academic semesters. Organizations, especially those in the education, government, and private research sectors, must maintain vigilance, implement robust multi-factor authentication, and educate users on sophisticated phishing tactics to mitigate the ongoing threat posed by this group.

Worried this actor targets your sector?

Let's map your exposure before they find it themselves.

Book an advisory call