Crane Hassold is the Senior Director of Threat Research at Agari, where he leads an intelligence team responsible for researching enterprise-focused phishing threats. Previously, he served as an Analyst at the FBI for more than 11 years, providing strategic and tactical analytical support to cyber, financial crime, and violent crime cases. For most of his career with the FBI, Crane worked in the Behavioral Analysis Units in Quantico, Virginia, where he provided analytical and behavioral support to the intelligence community and law enforcement partners against national security adversaries and serial criminals. In 2012, Crane helped create the FBI’s Cyber Behavioral Analysis Center, which takes an asymmetric approach to examining cyber threats by combining the traditional behavioral concepts used for decades in the violent crime world with technical expertise to gain a holistic understanding of threat actor tactics, techniques, and procedures.
I was struck by the name of an emerging security threat that Crane has identified and has been keeping an eye on for several years. He graciously agreed to answer some questions about it.
Who is the group called Silent Librarian, and where does its name come from?
Silent Librarian is an Iranian phishing group I started tracking back in December 2017. I first started following the group because unlike other common phishing pages targeting universities, Silent Librarian’s phishing pages were specifically crafted to mimic university library log-in pages (hence the “Librarian” in Silent Librarian). The group has been active since at least 2013. Silent Librarian is linked to the Mabna Institute, an organization that was indicted by the US Department of Justice in March 2018. According to the USDOJ indictment, the Mabna Institute worked at the direction of the Iranian government and supplied stolen information to the Islamic Revolutionary Guard Corps (IRGC). Based on my research, I was able to link one of the main actors from the Mabna Institute indictment to Silent Librarian activity, indicating the two groups were, in fact, the same entity.
Who are Silent Librarian’s targets?
Silent Librarian’s targets are colleges and universities all over the world. I had previously identified more than 300 universities that had been targeted by Silent Librarian in phishing attacks in 22 countries. A majority of Silent Librarian’s targets are located in the United States, Canada, the United Kingdom, and Australia. Looking at the schools Silent Librarian targets, a significant number of them are prominent research, technical, or medical universities.
What is Silent Librarian trying to get?
The purpose of Silent Librarian’s phishing attacks is to compromise the credentials of university faculty and staff. They will then use those credentials to access academic research journals available to these accounts. Because Silent Librarian has ties to the Iranian government, it is also possible that they could use compromised credentials to access other sensitive research at a university, although there has been no direct evidence this has occurred. According to the USDOJ indictment, Silent Librarian/Mabna Institute stole more than 31 terabytes of data from universities, companies, and government agencies around the world at a cost of approximately $3.4 billion.
What is Silent Librarian’s strategy?
The first step in a Silent Librarian attack is the phishing email. These emails are constructed to look like they’re being sent from a university’s library and may request that a recipient needs to renew their library account access by authenticating their account. Many times, these emails directly spoof university email addresses, which makes it appear that they are being legitimately sent from a library account. These lure emails contain a link that leads to the phishing site. Many of these links use URL shorteners that redirect a victim to the ultimate phishing page.
The phishing sites constructed by Silent Librarian are almost exact replicas of the actual webpages they’re impersonating. The URLs for the these phishing sites are also extremely similar to legitimate URLs. For example, if the legitimate URL for a university library login page is https://libproxy.university.edu, then the URL for a Silent Librarian phishing site might look like https://libproxy.unversity.edu.iftl.tk. Silent Librarian also obtains freely-available SSL certificates for their phishing pages, which adds another layer of authenticity the site. An SSL certificate gives a website a green lock icon in a browser URL bar, which indicates that a website is “secure” (even though this simply means communication to/from a website is encrypted and doesn’t mean that a website is legitimate or safe).
One of the most interesting aspects of Silent Librarian’s attacks is that their tactics have remained incredibly consistent for years. With the exception of a few minor changes, many of the same lures they use today are the exact same lures they used five years ago. The lack of evolution in Silent Librarian’s tactics likely indicates that they don’t see a need to adapt because their current techniques have continued to have success with little resistance.
How do they use what they get?
Silent Librarian uses the credentials they steal in their phishing attacks to access and download research from various academic journals. The group also sells access to these journals on various Iranian websites, which allows users to purchase an account at a specific university or purchase journal articles individually. The USDOJ indictment also indicates that Silent Librarian has provided stolen information to the Iranian government.
What dangers does Silent Librarian pose to colleges and universities?
Because Silent Librarian is backed by the Iranian government, they should be considered a significant threat to colleges and universities. Not only do Silent Librarian’s attacks cause direct losses of academic literature, but there’s also the possibility the group could use the accounts they compromise to steal even more sensitive research from university faculty or students. Additionally, in many cases where Silent Librarian has used compromised accounts to download significant amount of journal material, a university library may completely lose access to journals for a period of time. Based on the fact that Silent Librarian has not shown a need to change their tactics, it likely means their longstanding techniques have had continued success.