Skip to content

G0122 Silent Librarian

Silent Librarian is a group that has targeted research and proprietary data at universities, government agencies, and private sector companies worldwide since at least 2013. Members of Silent Librarian are known to have been affiliated with the Iran-based Mabna Institute which has conducted cyber intrusions at the behest of the government of Iran, specifically the Islamic Revolutionary Guard Corps (IRGC).123

Item Value
ID G0122
Associated Names TA407, COBALT DICKENS
Version 1.0
Created 03 February 2021
Last Modified 21 April 2021
Navigation Layer View In ATT&CK® Navigator

Associated Group Descriptions

Name Description
TA407 43
COBALT DICKENS 5643

Techniques Used

Domain ID Name Use
enterprise T1583 Acquire Infrastructure -
enterprise T1583.001 Domains Silent Librarian has acquired domains to establish credential harvesting pages, often spoofing the target organization and using free top level domains .TK, .ML, .GA, .CF, and .GQ.125463
enterprise T1110 Brute Force -
enterprise T1110.003 Password Spraying Silent Librarian has used collected lists of names and e-mail accounts to use in password spraying attacks against private sector targets.1
enterprise T1114 Email Collection Silent Librarian has exfiltrated entire mailboxes from compromised accounts.1
enterprise T1114.003 Email Forwarding Rule Silent Librarian has set up auto forwarding rules on compromised e-mail accounts.1
enterprise T1585 Establish Accounts -
enterprise T1585.002 Email Accounts Silent Librarian has established e-mail accounts to receive e-mails forwarded from compromised accounts.1
enterprise T1589 Gather Victim Identity Information -
enterprise T1589.002 Email Addresses Silent Librarian has collected e-mail addresses from targeted organizations from open Internet searches.1
enterprise T1589.003 Employee Names Silent Librarian has collected lists of names for individuals from targeted organizations.1
enterprise T1588 Obtain Capabilities -
enterprise T1588.002 Tool Silent Librarian has obtained free and publicly available tools including SingleFile and HTTrack to copy login pages of targeted organizations.46
enterprise T1588.004 Digital Certificates Silent Librarian has obtained free Let’s Encrypt SSL certificates for use on their phishing pages.26
enterprise T1598 Phishing for Information -
enterprise T1598.003 Spearphishing Link Silent Librarian has used links in e-mails to direct victims to credential harvesting websites designed to appear like the targeted organization’s login page.125463
enterprise T1594 Search Victim-Owned Websites Silent Librarian has searched victim’s websites to identify the interests and academic areas of targeted individuals and to scrape source code, branding, and organizational contact information for phishing pages.124
enterprise T1608 Stage Capabilities -
enterprise T1608.005 Link Target Silent Librarian has cloned victim organization login pages and staged them for later use in credential harvesting campaigns. Silent Librarian has also made use of a variety of URL shorteners for these staged websites.634
enterprise T1078 Valid Accounts Silent Librarian has used compromised credentials to obtain unauthorized access to online accounts.1

References