Iranian hackers restart attacks on universities as the new school year begins

This time they hosted phishing servers in Iran, immune to any takedown attempts.

Why Iranian hacking operations could be a threat to your network

A group of Iranian hackers with a history of attacking academic institutions have come back to life to launch a new series of phishing campaigns, security firm Malwarebytes said today.

Executive guide

What is phishing? Everything you need to know to protect yourself from scam emails and more

Don't click on that email! Find everything you need to know in this phishing guide including how to protect yourself from one of the most common forms of cyber attack.

Read More

The new attacks were timed to coincide with the start of the new academic years when both students and university staff were expected to be active on university portals.

The attacks consisted of emails sent to victims. Known as "phishing emails," they contained links to a website posing as the university portal or an associated app, such as the university library.

The websites were hosted on sites with lookalike domains, but in reality, collected the victim's login credentials.

Attacks linked to Silent Librarian group

Malwarebytes says the attacks were all orchestrated by the same group, known in cyber-security circles under its codename of Silent Librarian.

The members of this group were indicted in the US in March 2018 for a long string of attacks against universities from all over the globe, dating back as far as 2013.

According to the US indictments, the hackers gained access to university portals from where they stole intellectual property or limited-release academic work, which they later re-sold on their own web portals ( and

However, despite the US indictment, the hackers remained at large in Iran and mounted subsequent attacks.

These attacks usually took place each fall, right before the new school year. Their 2018 campaign was documented in a Secureworks report, while Proofpoint spotted last year's campaign.

Group is now hosting attack servers in Iran

But compared to the past attacks, the 2020 campaign is different.

Malwarebytes said this time around, Silent Librarian hosted some of its phishing sites on Iranian servers.

"It may seem odd for an attacker to use infrastructure in their own country, possibly pointing a finger at them. However, here it simply becomes another bulletproof hosting option based on the lack of cooperation between US or European law enforcement and local police in Iran," the US security firm said.

Below is a list of universities the group targeted, along with the phishing sites they used, in case students and university staff may want to review any past emails.

Phishing siteLegitimate siteTarget University of Adelaide Library University of Adelaide Library Caledonian University
blackboard.stonybrook.ernn.meblackboard.stonybrook.eduStony Brook University
blackboard.stonybrook.nrni.meblackboard.stonybrook.eduStony Brook University Utrecht
uu.blackboard.rres.meuu.blackboard.comUniversiteit Utrecht University of Bristol of Toronto of Cambridge Medical Institutet of York of Kentöteborg universitet University Canada's College London Mary University of London Victoria Australia Technological University of Lincoln Mittelhessen University of Applied Sciences of North Texas University of Cambridge