ETDA ThaiCERT
Report
Search
Home > List all groups > Mabna Institute, Cobalt Dickens, Silent Librarian

Threat Group Cards: A Threat Actor Encyclopedia

Permanent link APT group: Mabna Institute, Cobalt Dickens, Silent Librarian

NamesMabna Institute (real name)
Cobalt Dickens (SecureWorks)
Silent Librarian (SecureWorks)
TA407 (Proofpoint)
TA4900 (Proofpoint)
CountryIran Iran
SponsorState-sponsored, Islamic Revolutionary Guard Corps
MotivationInformation theft and espionage
First seen2013
DescriptionAccording to the Treasury Department, since 2013, the Mabna Institute hit 144 US universities and 176 universities in 21 foreign countries.

Geoffrey Berman, US Attorney for the Southern District of New York revealed that the spear phishing campaign targeted more than 100,000 university professors worldwide and about 8,000 accounts were compromised.

The Iranian hackers exfiltrated 31 terabytes, roughly 15 billion pages of academic projects were stolen.

The hackers also targeted the US Department of Labor, the US Federal Energy Regulatory Commission, and many private and non-governmental organizations.

The sanctions also hit the Mabna Institute, an Iran-based company that had a critical role in coordinating the attacks on behalf of Iran’s Revolutionary Guards.
ObservedSectors: Education.
Countries: Australia, Canada, China, Hong Kong, Israel, Japan, Switzerland, Turkey, UK, USA.
Tools used
Operations performedAug 2018Despite indictments in March 2018, the Iranian threat group is likely responsible for a large-scale campaign that targeted university credentials using the same spoofing tactics as previous attacks.
In August 2018, members of university communities worldwide may have been providing access to more than just homework assignments.
Secureworks Counter Threat Unit (CTU) researchers discovered a URL spoofing a login page for a university.
<https://www.secureworks.com/blog/back-to-school-cobalt-dickens-targets-universities>
Jul 2019In July and August 2019, CTU researchers discovered a new large global phishing operation launched by COBALT DICKENS. This operation is similar to the threat group’s August 2018 campaign, using compromised university resources to send library-themed phishing emails.
<https://www.secureworks.com/blog/cobalt-dickens-goes-back-to-school-again>
Sep 2020In mid-September, we were tipped off by one of our customers about a new active campaign from this APT group. Based off a number of intended victims, we can tell that Silent Librarian does not limit itself to specific countries but tries to get wider coverage.
<https://blog.malwarebytes.com/malwarebytes-news/2020/10/silent-librarian-apt-phishing-attack/>
Counter operationsMar 2018Nine Iranians Charged With Conducting Massive Cyber Theft Campaign on Behalf of the Islamic Revolutionary Guard Corps
<https://www.justice.gov/opa/pr/nine-iranians-charged-conducting-massive-cyber-theft-campaign-behalf-islamic-revolutionary>
Information<https://www.proofpoint.com/us/threat-insight/post/threat-actor-profile-ta407-silent-librarian>

Last change to this card: 19 October 2020

Download this actor card in PDF or JSON format

Previous: Lurk
Next: Madi

Thailand Computer Emergency Response Team (ThaiCERT)
Electronic Transactions Development Agency

Follow us on

Facebook Twitter

Report incidents

Telephone +66 (0)2-123-1234
E-mail report@thaicert.or.th
PGP Download PGP key