Mabna Institute, Cobalt Dickens, Silent Librarian

Description

According to the Treasury Department, since 2013, the Mabna Institute hit 144 US universities and 176 universities in 21 foreign countries.

Geoffrey Berman, US Attorney for the Southern District of New York revealed that the spear phishing campaign targeted more than 100,000 university professors worldwide and about 8,000 accounts were compromised.

The Iranian hackers exfiltrated 31 terabytes, roughly 15 billion pages of academic projects were stolen.

The hackers also targeted the US Department of Labor, the US Federal Energy Regulatory Commission, and many private and non-governmental organizations.

The sanctions also hit the Mabna Institute, an Iran-based company that had a critical role in coordinating the attacks on behalf of Iran’s Revolutionary Guards.

Also see Shadow Academy.

Names

Name	Name-Giver
Mabna Institute	real name
Cobalt Dickens	SecureWorks
Silent Librarian	SecureWorks
Yellow Nabu	PWC
TA407	Proofpoint
TA4900	Proofpoint
Academic Serpens	Palo Alto

Country

• Iran

Sponsor

State-sponsored, Islamic Revolutionary Guard Corps

Motivation

• Information theft and espionage

First Seen

2013

Observed Sectors

• Education

Observed Countries

• Australia
• Canada
• China
• Hong Kong
• Israel
• Japan
• Switzerland
• Turkey
• UK
• USA

Operations

• 2018-08: Despite indictments in March 2018, the Iranian threat group is likely responsible for a large-scale campaign that targeted university credentials using the same spoofing tactics as previous attacks. In August 2018, members of university communities worldwide may have been providing access to more than just homework assignments. Secureworks Counter Threat Unit (CTU) researchers discovered a URL spoofing a login page for a university. https://www.secureworks.com/blog/back-to-school-cobalt-dickens-targets-universities
• 2019-07: In July and August 2019, CTU researchers discovered a new large global phishing operation launched by COBALT DICKENS. This operation is similar to the threat group’s August 2018 campaign, using compromised university resources to send library-themed phishing emails. https://www.secureworks.com/blog/cobalt-dickens-goes-back-to-school-again
• 2020-09: In mid-September, we were tipped off by one of our customers about a new active campaign from this APT group. Based off a number of intended victims, we can tell that Silent Librarian does not limit itself to specific countries but tries to get wider coverage. https://blog.malwarebytes.com/malwarebytes-news/2020/10/silent-librarian-apt-phishing-attack/

Counter Operations

• 2018-03: Nine Iranians Charged With Conducting Massive Cyber Theft Campaign on Behalf of the Islamic Revolutionary Guard Corps https://www.justice.gov/opa/pr/nine-iranians-charged-conducting-massive-cyber-theft-campaign-behalf-islamic-revolutionary

Information

• https://www.proofpoint.com/us/threat-insight/post/threat-actor-profile-ta407-silent-librarian

Mitre Attack

• https://attack.mitre.org/groups/G0122/

Other Information

Uuid

dfa23dfc-0cb8-4621-bde5-1583e1e7bfa4

Last Card Change

2025-06-27