Silent Librarian

Silent Librarian, also known as Cobalt Dickens and TA407, is a persistent threat actor operating out of Iran. Despite indictments and public disclosures of its campaigns, the group continues to engage in malicious activities, with no signs of cessation as of this publication. This cyber-espionage nation-state threat actor is associated with the theft of intellectual property and research and has been under surveillance by cybersecurity entities like PhishLabs since late 2017. Silent Librarian's operations are characterized by their realistic phishing sites and lures, making them a significant threat to unsuspecting victims. The group's primary modus operandi involves launching phishing attacks from a university unrelated to their current target using a separate, unrelated university’s URL shortening service. Since 2013, 127 different domains have been identified hosting Silent Librarian phishing sites, demonstrating the breadth and complexity of their operations. The credentials compromised in these phishing attacks are then sold on websites such as Uniaccount[.]ir, further underscoring the financially motivated nature of Silent Librarian's activities. Researchers at Proofpoint and Secureworks have provided detailed insights into Silent Librarian's operations, including the identification of two email accounts used to receive compromised victim credentials. Notably, the stolen credentials from the Silent Librarian phishing attacks were found being sold on an Iranian website, although it was not one of the sites specified in the indictment. Overall, Silent Librarian represents a formidable and ongoing threat in the landscape of cybercrime, particularly for institutions of higher learning.