Silent Librarian

Threat Actor Profile Updated 2 months ago
Download STIX
Preview STIX
Silent Librarian, also known as Cobalt Dickens and TA407, is a persistent threat actor operating out of Iran. Despite indictments and public disclosures of its campaigns, the group continues to engage in malicious activities, with no signs of cessation as of this publication. This cyber-espionage nation-state threat actor is associated with the theft of intellectual property and research and has been under surveillance by cybersecurity entities like PhishLabs since late 2017. Silent Librarian's operations are characterized by their realistic phishing sites and lures, making them a significant threat to unsuspecting victims. The group's primary modus operandi involves launching phishing attacks from a university unrelated to their current target using a separate, unrelated university’s URL shortening service. Since 2013, 127 different domains have been identified hosting Silent Librarian phishing sites, demonstrating the breadth and complexity of their operations. The credentials compromised in these phishing attacks are then sold on websites such as Uniaccount[.]ir, further underscoring the financially motivated nature of Silent Librarian's activities. Researchers at Proofpoint and Secureworks have provided detailed insights into Silent Librarian's operations, including the identification of two email accounts used to receive compromised victim credentials. Notably, the stolen credentials from the Silent Librarian phishing attacks were found being sold on an Iranian website, although it was not one of the sites specified in the indictment. Overall, Silent Librarian represents a formidable and ongoing threat in the landscape of cybercrime, particularly for institutions of higher learning.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
COBALT DICKENS
1
COBALT DICKENS is a notable threat actor group known for its malicious activities in the realm of cybersecurity. This group has been particularly active in hosting phishing websites, with significant operations noted in July and August 2019. CTU researchers discovered this large global phishing oper
Mabna Institute
1
The Mabna Institute, also known as TA407, Silent Librarian, and Cobalt Dickens, is a prominent threat actor primarily targeting universities and higher education institutions worldwide. The group executes low-volume, target-specific campaigns involving tens or hundreds of messages. Their tactics, te
TA407
1
TA407, also known as Silent Librarian, Cobalt Dickens, and Mabna Institute, is a significant threat actor primarily targeting universities and higher education institutions worldwide through target-specific phishing campaigns. These campaigns are not geographically targeted but are tied to specific
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Encrypt
Extortion
Espionage
University
Phishing
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
LapsusUnspecified
1
Lapsus is a significant threat actor that has been active since its inception in early 2022. The group gained notoriety for its cyberattacks, including a high-profile breach of Nvidia, an American multinational technology company, in the same year. This attack led to the leak of thousands of passwor
KimsukyUnspecified
1
Kimsuky, a threat actor linked to North Korea, has been identified as the perpetrator behind a series of advanced persistent threat (APT) attacks. The group is known for its malicious activities, which typically involve cyber espionage and targeted attacks on high-profile entities. Recently, Kimsuky
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the Silent Librarian Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
CERT-EU
10 months ago
Threat spotlight: Attackers use inbox rules to evade detection
MITRE
a year ago
COBALT DICKENS Goes Back to School…Again
MITRE
a year ago
TA407 Overview (Mabna Institute, Silent Librarian) | Proofpoint US
MITRE
a year ago
Silent Librarian: More to the Story of the IranianMabna Institute Indictment | PhishLabs
MITRE
a year ago
Silent Librarian APT right on schedule for 20/21 academic year | Malwarebytes Labs