TA407

TA407, also known as Silent Librarian, Cobalt Dickens, and Mabna Institute, is a significant threat actor primarily targeting universities and higher education institutions worldwide through target-specific phishing campaigns. These campaigns are not geographically targeted but are tied to specific universities, with phishing landing pages developed for library and student or faculty access portals. Since 2019, Proofpoint researchers have observed several TA407 campaigns distributing phishing URLs leading to clones of university library login pages. The group makes extensive use of Freenom domains to host credential phishing landing pages and abuses compromised accounts at universities to phish users at other universities, thereby spreading its influence from school to school. In early 2018, the US Department of Justice indicted nine members of TA407 for hacking, wire fraud, and identity theft. They were charged with obtaining unauthorized access to computer systems, stealing proprietary data, and selling that stolen data to Iranian customers, including the Iranian government and Iranian universities. The indictment alleges that between 2013 and 2017, TA407's activities resulted in significant damages. However, these indictments had no appreciable effect on curtailing the activities of TA407. TA407 demonstrates a high level of sophistication in its attacks. It takes advantage of publicized downtime and weather alerts, among other events, to add credibility to its phishing attempts, increasing the risk for universities and their constituents. Furthermore, it shows awareness of close to real-time changes in authentication portal traits, such as weather notification banners, which are sometimes reflected on the landing page clones used in their campaigns. Over time, TA407 has been observed to abuse several short URL services for initial redirection to phishing landing pages. Despite the legal actions taken against it, TA407 continues to pose a substantial threat to educational institutions.