TA407

Threat Actor Profile Updated 2 months ago
Download STIX
Preview STIX
TA407, also known as Silent Librarian, Cobalt Dickens, and Mabna Institute, is a significant threat actor primarily targeting universities and higher education institutions worldwide through target-specific phishing campaigns. These campaigns are not geographically targeted but are tied to specific universities, with phishing landing pages developed for library and student or faculty access portals. Since 2019, Proofpoint researchers have observed several TA407 campaigns distributing phishing URLs leading to clones of university library login pages. The group makes extensive use of Freenom domains to host credential phishing landing pages and abuses compromised accounts at universities to phish users at other universities, thereby spreading its influence from school to school. In early 2018, the US Department of Justice indicted nine members of TA407 for hacking, wire fraud, and identity theft. They were charged with obtaining unauthorized access to computer systems, stealing proprietary data, and selling that stolen data to Iranian customers, including the Iranian government and Iranian universities. The indictment alleges that between 2013 and 2017, TA407's activities resulted in significant damages. However, these indictments had no appreciable effect on curtailing the activities of TA407. TA407 demonstrates a high level of sophistication in its attacks. It takes advantage of publicized downtime and weather alerts, among other events, to add credibility to its phishing attempts, increasing the risk for universities and their constituents. Furthermore, it shows awareness of close to real-time changes in authentication portal traits, such as weather notification banners, which are sometimes reflected on the landing page clones used in their campaigns. Over time, TA407 has been observed to abuse several short URL services for initial redirection to phishing landing pages. Despite the legal actions taken against it, TA407 continues to pose a substantial threat to educational institutions.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Silent Librarian
1
Silent Librarian, also known as Cobalt Dickens and TA407, is a persistent threat actor operating out of Iran. Despite indictments and public disclosures of its campaigns, the group continues to engage in malicious activities, with no signs of cessation as of this publication. This cyber-espionage na
Mabna Institute
1
The Mabna Institute, also known as TA407, Silent Librarian, and Cobalt Dickens, is a prominent threat actor primarily targeting universities and higher education institutions worldwide. The group executes low-volume, target-specific campaigns involving tens or hundreds of messages. Their tactics, te
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Cybercrime
University
Phishing
Fraud
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the TA407 Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
MITRE
a year ago
TA407 Overview (Mabna Institute, Silent Librarian) | Proofpoint US