G0122 Silent Librarian

Silent Librarian is a group that has targeted research and proprietary data at universities, government agencies, and private sector companies worldwide since at least 2013. Members of Silent Librarian are known to have been affiliated with the Iran-based Mabna Institute which has conducted cyber intrusions at the behest of the government of Iran, specifically the Islamic Revolutionary Guard Corps (IRGC).¹²³

Item	Value
ID	G0122
Associated Names	TA407, COBALT DICKENS
Version	1.0
Created	03 February 2021
Last Modified	21 April 2021
Navigation Layer	View In ATT&CK® Navigator

Associated Group Descriptions

Name	Description
TA407	⁴³
COBALT DICKENS	⁵⁶⁴³

Techniques Used

Domain	ID	Name	Use
enterprise	T1583	Acquire Infrastructure	-
enterprise	T1583.001	Domains	Silent Librarian has acquired domains to establish credential harvesting pages, often spoofing the target organization and using free top level domains .TK, .ML, .GA, .CF, and .GQ.¹²⁵⁴⁶³
enterprise	T1110	Brute Force	-
enterprise	T1110.003	Password Spraying	Silent Librarian has used collected lists of names and e-mail accounts to use in password spraying attacks against private sector targets.¹
enterprise	T1114	Email Collection	Silent Librarian has exfiltrated entire mailboxes from compromised accounts.¹
enterprise	T1114.003	Email Forwarding Rule	Silent Librarian has set up auto forwarding rules on compromised e-mail accounts.¹
enterprise	T1585	Establish Accounts	-
enterprise	T1585.002	Email Accounts	Silent Librarian has established e-mail accounts to receive e-mails forwarded from compromised accounts.¹
enterprise	T1589	Gather Victim Identity Information	-
enterprise	T1589.002	Email Addresses	Silent Librarian has collected e-mail addresses from targeted organizations from open Internet searches.¹
enterprise	T1589.003	Employee Names	Silent Librarian has collected lists of names for individuals from targeted organizations.¹
enterprise	T1588	Obtain Capabilities	-
enterprise	T1588.002	Tool	Silent Librarian has obtained free and publicly available tools including SingleFile and HTTrack to copy login pages of targeted organizations.⁴⁶
enterprise	T1588.004	Digital Certificates	Silent Librarian has obtained free Let’s Encrypt SSL certificates for use on their phishing pages.²⁶
enterprise	T1598	Phishing for Information	-
enterprise	T1598.003	Spearphishing Link	Silent Librarian has used links in e-mails to direct victims to credential harvesting websites designed to appear like the targeted organization’s login page.¹²⁵⁴⁶³
enterprise	T1594	Search Victim-Owned Websites	Silent Librarian has searched victim’s websites to identify the interests and academic areas of targeted individuals and to scrape source code, branding, and organizational contact information for phishing pages.¹²⁴
enterprise	T1608	Stage Capabilities	-
enterprise	T1608.005	Link Target	Silent Librarian has cloned victim organization login pages and staged them for later use in credential harvesting campaigns. Silent Librarian has also made use of a variety of URL shorteners for these staged websites.⁶³⁴
enterprise	T1078	Valid Accounts	Silent Librarian has used compromised credentials to obtain unauthorized access to online accounts.¹

References

DOJ. (2018, March 23). U.S. v. Rafatnejad et al . Retrieved February 3, 2021. ↩↩↩↩↩↩↩↩↩↩↩
Hassold, Crane. (2018, March 26). Silent Librarian: More to the Story of the Iranian Mabna Institute Indictment. Retrieved February 3, 2021. ↩↩↩↩↩
Malwarebytes Threat Intelligence Team. (2020, October 14). Silent Librarian APT right on schedule for 20/21 academic year. Retrieved February 3, 2021. ↩↩↩↩↩↩
Proofpoint Threat Insight Team. (2019, September 5). Threat Actor Profile: TA407, the Silent Librarian. Retrieved February 3, 2021. ↩↩↩↩↩↩↩
Counter Threat Unit Research Team. (2018, August 24). Back to School: COBALT DICKENS Targets Universities. Retrieved February 3, 2021. ↩↩↩
Counter Threat Unit Research Team. (2019, September 11). COBALT DICKENS Goes Back to School…Again. Retrieved February 3, 2021. ↩↩↩↩↩↩