Last Friday, Deputy Attorney General Rod Rosenstein announced the indictment of nine Iranians who worked for an organization named the Mabna Institute. According to prosecutors, the defendants stole more than 31 terabytes of data from universities, companies, and government agencies around the world. The cost to the universities alone reportedly amounted to approximately $3.4 billion. The information stolen from these universities was used by the Islamic Revolutionary Guard Corps (IRGC) or sold for profit inside Iran.
Today, @TheJusticeDept, #FBI, @USTreasury, @NewYorkFBI, & @SDNYnews announced charges against nine Iranians for conducting massive #cyber theft campaign on behalf of the Islamic Revolutionary Guard Corps. https://t.co/WS382CZPUm pic.twitter.com/qHHd2bajTa
— FBI (@FBI) March 23, 2018
PhishLabs has been tracking this same threat group since late-2017, designating them Silent Librarian. Since discovery, we have been working with the FBI, ISAC partners, and other international law enforcement agencies to help understand and mitigate these attacks.
The details of the phishing attacks identified by PhishLabs give a broader sense of the overall threat posed by this group when read alongside the crimes outlined in the indictment. While the indictment details the finely-crafted spear phishing campaigns targeting university professors, the attacks tracked by PhishLabs also involved the general targeting of university students and faculty to collect credentials for the victims' university library accounts. In light of the news from Friday, we are sharing insights and research that provide additional context to the Mabna Institute indictment.
History and Targets
PhishLabs began compiling attacks, lures, and other information tied to Silent Librarian in December 2017. Starting with just two domains that hosted nearly two dozen university phishing sites, we used PassiveDNS analysis, Whois data, SSL certificate monitoring, and open source research to identify more phishing sites linked to the same group. To date, we have identified more than 750 phishing attacks attributed to Silent Librarian dating back to September 2013. These attacks have targeted more than 300 universities in 22 countries. While most of the targeted universities are located in the United States, Canada, United Kingdom, and Australia, there have also been schools targeted in other countries in Western Europe and Asia.
Countries targeted by Silent Librarian phishing attacks.
Looking at the list of university targets, it is clear that they are not randomly selected. All of the universities targeted in the Silent Librarian campaigns are generally prominent research, technical, or medical universities. Some schools in particular have been targeted numerous times over the past four-and-a-half years. For example, Monash University, located in Australia, has been a popular Silent Librarian target. The university has been targeted more than two dozen times by the group since the beginning of 2017. In addition to universities, Silent Librarian has also targeted non-academic institutions, such as Los Alamos National Laboratory, Electric Power Research Institute, Memorial Sloan Kettering Cancer Center, Ohio State Wexner Medical Center, and Thomson Reuters.
Silent Librarian Lures
One of the notable aspects of Silent Librarian phishing campaigns is that their tactics have barely changed over time. Outside the correction of a few minor spelling errors, the content of the phishing lures has remained incredibly consistent. The likely reason for this consistency is that the success rate of campaigns using these lures was high enough that there was no need for them to evolve. From a research perspective, though, the static nature of the group's lure made it easier for us to identify past campaigns and track new campaigns as they occurred.
Body of an email lure sent to an American university in February 2014.
Body of an email lure sent to an Australian university in October 2017.
Overall, the lures constructed by Silent Librarian are remarkably authentic-looking. Spelling and grammar, two of the primary indicators of a malicious email, are nearly perfect. The message in the lures are contextually legitimate, meaning it is an email a recipient could be reasonably expected to receive.
Most of the Silent Librarian lure emails contain spoofed sender email addresses, which make them appear as if they're coming from a legitimate source. Some of the phishing emails, though, have been sent from temporary Gmail addresses. A small number of lures have even been sent from what appear to be email accounts at various Turkish universities.
Example lure sent from a temporary Gmail account.
Each of the Silent Librarian lures ends with a very realistic looking closing signature containing contact information for the target library. This information is collected through open source research conducted by the threat actors. In some cases, all of the contact information can be found together on one webpage; however, some of the information is in different locations, indicating the actors are likely performing manual reconnaissance to gather the information.
At least a third of the Silent Librarian lures identified use fictitious personas to add a sense of authenticity to the emails. The names of these personas have evolved over time; however, the group has used the personas "Sarah Miller" and "Susan Jackson" frequently in recent campaigns. The group also changes the names of the personas to match the location of the target university. For example, a recent campaign targeting an Australian university used the persona "Jonathon Dixon," while the persona identity "Shinsuke Hamada" was previously used in an email lure targeting a Japanese school.
Example lure containing "Sarah Miller" persona sent from a Turkish university email account.
Like the overall content of their lures, the subject lines of Silent Librarian phishing emails have remained consistent over time. Since the beginning of 2017, 97 percent of lures contained the subject "Library Account," "Library Notifications," or "Library Services." Sometimes the name of the target university has been appended to the subject to add more perceived authenticity to the attack vector.
We have identified 127 different domains used to host Silent Librarian phishing sites since 2013. Like a growing number of phishing sites, domains registered by Silent Librarian generally use Freenom top-level domains (TLDs) (.TK, . CF, .GA, .GQ, .ML) because they are available at no cost. The group has used domains on other TLDs, though rather sparingly. Some of the other recent TLDs associated with Silent Librarian domains include .IN, .IR, .INFO, .LINK, and .TOP.
Like their lures, the phishing sites crafted by Silent Librarian are very realistic. The URLs associated with the phishing pages closely mirror the full legitimate URL path of the account login page for the target university library.
Legitimate American University Library Login URL (above)
Silent Librarian Phishing URL (January 2018)
Side-by-side comparison of a legitimate login page (left) and a phishing page (right).
At the beginning of 2017, Silent Librarian began to regularly obtain free Let's Encrypt SSL certificates for their phishing pages. This technique, which we have previous discussed at length in blog posts from November and December, is used to create more realistic-looking phishing pages.
Example phishing page with valid SSL certificate.
Silent Librarian PHP mailer referencing a Vatanmail drop email account.
What Happens to the Stolen Credentials?
As outlined in Friday's indictment, in addition to being passed to the IRGC, some of the stolen credentials were also sold on two Iranian websites, Megapaper[.]ir and Gigapaper[.]ir. Similarly, the credentials stolen in the Silent Librarian phishing attacks we identified were sold on an Iranian website; however, it is not one of the sites specified in the indictment.
Using a combination of technical and open source research, we identified another website, Uniaccount[.]ir, that was used to sell the credentials compromised in the Silent Librarian phishing attacks. The Uniaccount website is likely run by Mostafa Sadeghi, who was named in the recent indictment as a "prolific Iran-based computer hacker who was an affiliate of the Mabna Institute."
Uniaccount home page.
On the Uniaccount website, credentials are offered for dozens of universities around the world. Visitors are asked to send an email to a specified Gmail address to request the price of a password for a specific university. Notably, the website also mentions that all accounts that are purchased have a one-month warranty, so if the account is cut off during that period, the purchaser will be given a new account to use.
In addition to buying an account for a specific university, a visitor on Uniaccount can also simply purchase research journal articles individually. The cost of a single article on Uniaccount is 2,000 Tomans, or approximately 60 U.S. cents. Ebooks and standards documents are also advertised for sale on the site.
Finally, Uniaccount also offers multiple levels of memberships to buyers. The regular membership, which is available for 18,000 Tomans (approximately five USD), includes access to a variety of academic journals and five articles from "rare journals" for a two-month period. A second "golden" membership is available for 50,000 Tomans (approximately 15 USD), which provides access to passwords to the "best universities" and 15 articles from rare journals also for a two-month period.
PhishLabs continues to collaborate with universities, law enforcement, and ISAC partners as we discover more information about this group.