Threat Group Cards: A Threat Actor Encyclopedia

APT group: Mabna Institute, Cobalt Dickens, Silent Librarian

Names	Mabna Institute (real name) Cobalt Dickens (SecureWorks) Silent Librarian (SecureWorks) Yellow Nabu (PWC) TA407 (Proofpoint) TA4900 (Proofpoint)
Country	Iran
Sponsor	State-sponsored, Islamic Revolutionary Guard Corps
Motivation	Information theft and espionage
First seen	2013
Description	According to the Treasury Department, since 2013, the Mabna Institute hit 144 US universities and 176 universities in 21 foreign countries. Geoffrey Berman, US Attorney for the Southern District of New York revealed that the spear phishing campaign targeted more than 100,000 university professors worldwide and about 8,000 accounts were compromised. The Iranian hackers exfiltrated 31 terabytes, roughly 15 billion pages of academic projects were stolen. The hackers also targeted the US Department of Labor, the US Federal Energy Regulatory Commission, and many private and non-governmental organizations. The sanctions also hit the Mabna Institute, an Iran-based company that had a critical role in coordinating the attacks on behalf of Iran’s Revolutionary Guards. Also see Shadow Academy.
Observed	Sectors: Education. Countries: Australia, Canada, China, Hong Kong, Israel, Japan, Switzerland, Turkey, UK, USA.
Tools used
Operations performed	Aug 2018	Despite indictments in March 2018, the Iranian threat group is likely responsible for a large-scale campaign that targeted university credentials using the same spoofing tactics as previous attacks. In August 2018, members of university communities worldwide may have been providing access to more than just homework assignments. Secureworks Counter Threat Unit (CTU) researchers discovered a URL spoofing a login page for a university. <https://www.secureworks.com/blog/back-to-school-cobalt-dickens-targets-universities>
	Jul 2019	In July and August 2019, CTU researchers discovered a new large global phishing operation launched by COBALT DICKENS. This operation is similar to the threat group’s August 2018 campaign, using compromised university resources to send library-themed phishing emails. <https://www.secureworks.com/blog/cobalt-dickens-goes-back-to-school-again>
	Sep 2020	In mid-September, we were tipped off by one of our customers about a new active campaign from this APT group. Based off a number of intended victims, we can tell that Silent Librarian does not limit itself to specific countries but tries to get wider coverage. <https://blog.malwarebytes.com/malwarebytes-news/2020/10/silent-librarian-apt-phishing-attack/>
Counter operations	Mar 2018	Nine Iranians Charged With Conducting Massive Cyber Theft Campaign on Behalf of the Islamic Revolutionary Guard Corps <https://www.justice.gov/opa/pr/nine-iranians-charged-conducting-massive-cyber-theft-campaign-behalf-islamic-revolutionary>
Information	<https://www.proofpoint.com/us/threat-insight/post/threat-actor-profile-ta407-silent-librarian>
MITRE ATT&CK	<https://attack.mitre.org/groups/G0122/>

Last change to this card: 30 December 2022

Download this actor card in PDF or JSON format