New Silent Librarian Phishing Campaigns
Back in 2018, the US Justice Department indicted nine Iranians in what was described as the “largest state-sponsored hacking campaigns ever prosecuted by the Department of Justice”. The indicted individuals came to be known collectively as “Silent Librarian” or “COBALT DICKENS,” and according to Secureworks, the group launched new global phishing campaigns in July and August 2019.
In a statement issued in March 2018 the Department of Justice said “Today, in one of the largest state-sponsored hacking campaigns ever prosecuted by the Department of Justice, we have unmasked criminals who normally hide behind the ones and zeros of computer code,” said U.S. Attorney Berman. “As alleged, this massive and brazen cyber-assault on the computer systems of hundreds of universities in 22 countries and dozens of private sector companies and governmental organizations was conducted on behalf of Iran’s Islamic Revolutionary Guard.
The hackers targeted innovations and intellectual property from our country’s greatest minds. These defendants are now fugitives from American justice, no longer free to travel outside Iran without risk of arrest. The only way they will see the outside world is through their computer screens, but stripped of their greatest asset – anonymity.”
Similar to the previous campaigns, the group uses compromised university accounts and resources to send phishing emails, which are library-themed and contain links to fake login pages associated with the university being targeted. In the new campaigns, there are some sixty universities located in Australia, Canada, Hong Kong, the UK, US and Switzerland being targeted using at least twenty new domains with many of the domains having valid SSL certificates.
Many of these domains use valid SSL certificates, likely to make the spoofed pages appear authentic. The overwhelming majority of the certificates observed in 2019 were issued by Let’s Encrypt, a nonprofit organization that programmatically issues free certificates. However, past campaigns used certificates issued by the Comodo certificate authority.
| mlibo.ml | Hosting phishing website used by COBALT DICKENS for August/July 2019 operations |
| blibo.ga | Hosting phishing website used by COBALT DICKENS for August/July 2019 operations |
| azll.cf | Hosting phishing website used by COBALT DICKENS for August/July 2019 operations |
| azlll.cf | Hosting phishing website used by COBALT DICKENS for August/July 2019 operations |
| lzll.cf | Hosting phishing website used by COBALT DICKENS for August/July 2019 operations |
| jlll.cf | Hosting phishing website used by COBALT DICKENS for August/July 2019 operations |
| elll.cf | Hosting phishing website used by COBALT DICKENS for August/July 2019 operations |
| lllib.cf | Hosting phishing website used by COBALT DICKENS for August/July 2019 operations |
| tsll.cf | Hosting phishing website used by COBALT DICKENS for August/July 2019 operations |
| ulll.tk | Hosting phishing website used by COBALT DICKENS for August/July 2019 operations |
| tlll.cf | Hosting phishing website used by COBALT DICKENS for August/July 2019 operations |
| libt.ga | Hosting phishing website used by COBALT DICKENS for August/July 2019 operations |
| libk.ga | Hosting phishing website used by COBALT DICKENS for August/July 2019 operations |
| libf.ga | Hosting phishing website used by COBALT DICKENS for August/July 2019 operations |
| libe.ga | Hosting phishing website used by COBALT DICKENS for August/July 2019 operations |
| liba.gq | Hosting phishing website used by COBALT DICKENS for August/July 2019 operations |
| libver.ml | Hosting phishing website used by COBALT DICKENS for August/July 2019 operations |
| ntll.tk | Hosting phishing website used by COBALT DICKENS for August/July 2019 operations |
| ills.cf | Hosting phishing website used by COBALT DICKENS for August/July 2019 operations |
| vtll.cf | Hosting phishing website used by COBALT DICKENS for August/July 2019 operations |
| clll.tk | Hosting phishing website used by COBALT DICKENS for August/July 2019 operations |
| stll.tk | Hosting phishing website used by COBALT DICKENS for August/July 2019 operations |
| llii.xyz | Hosting phishing website used by COBALT DICKENS |
| lill.pro | Hosting phishing website used by COBALT DICKENS |
| eduv.icu | Hosting phishing website used by COBALT DICKENS |
| univ.red | Hosting phishing website used by COBALT DICKENS |
| unir.cf | Hosting phishing website used by COBALT DICKENS |
| unir.gq | Hosting phishing website used by COBALT DICKENS |
| unisv.xyz | Hosting phishing website used by COBALT DICKENS |
| unir.ml | Hosting phishing website used by COBALT DICKENS |
| unin.icu | Hosting phishing website used by COBALT DICKENS |
| unie.ml | Hosting phishing website used by COBALT DICKENS |
| unip.gq | Hosting phishing website used by COBALT DICKENS |
| unie.ga | Hosting phishing website used by COBALT DICKENS |
| unip.cf | Hosting phishing website used by COBALT DICKENS |
| nimc.ga | Hosting phishing website used by COBALT DICKENS |
| nimc.ml | Hosting phishing website used by COBALT DICKENS |
| savantaz.cf | Hosting phishing website used by COBALT DICKENS |
| unie.gq | Hosting phishing website used by COBALT DICKENS |
| unip.ga | Hosting phishing website used by COBALT DICKENS |
| unip.ml | Hosting phishing website used by COBALT DICKENS |
| unir.ga | Hosting phishing website used by COBALT DICKENS |
| untc.me | Hosting phishing website used by COBALT DICKENS |
| jhbn.me | Hosting phishing website used by COBALT DICKENS |
| unts.me | Hosting phishing website used by COBALT DICKENS |
| uncr.me | Hosting phishing website used by COBALT DICKENS |
| lib-service.com | Hosting phishing website used by COBALT DICKENS |
| unvc.me | Hosting phishing website used by COBALT DICKENS |
| untf.me | Hosting phishing website used by COBALT DICKENS |
| nimc.cf | Hosting phishing website used by COBALT DICKENS |
| anvc.me | Hosting phishing website used by COBALT DICKENS |
| ebookfafa.com | Hosting phishing website used by COBALT DICKENS |
| nicn.gq | Hosting phishing website used by COBALT DICKENS |
| untc.ir | Hosting phishing website used by COBALT DICKENS |
| librarylog.in | Hosting phishing website used by COBALT DICKENS |
| llli.nl | Hosting phishing website used by COBALT DICKENS |
| lllf.nl | Hosting phishing website used by COBALT DICKENS |
| libg.tk | Hosting phishing website used by COBALT DICKENS |
| ttil.nl | Hosting phishing website used by COBALT DICKENS |
| llil.nl | Hosting phishing website used by COBALT DICKENS |
| lliv.nl | Hosting phishing website used by COBALT DICKENS |
| llit.site | Hosting phishing website used by COBALT DICKENS |
| flil.cf | Hosting phishing website used by COBALT DICKENS |
| e-library.me | Hosting phishing website used by COBALT DICKENS |
| cill.ml | Hosting phishing website used by COBALT DICKENS |
| fill.cf | Hosting phishing website used by COBALT DICKENS |
| libm.ga | Hosting phishing website used by COBALT DICKENS |
| eill.cf | Hosting phishing website used by COBALT DICKENS |
| llib.cf | Hosting phishing website used by COBALT DICKENS |
| eill.ga | Hosting phishing website used by COBALT DICKENS |
| nuec.cf | Hosting phishing website used by COBALT DICKENS |
| illl.cf | Hosting phishing website used by COBALT DICKENS |
| cnen.cf | Hosting phishing website used by COBALT DICKENS |
| aill.nl | Hosting phishing website used by COBALT DICKENS |
| eill.nl | Hosting phishing website used by COBALT DICKENS |
| mlib.cf | Hosting phishing website used by COBALT DICKENS |
| ulll.cf | Hosting phishing website used by COBALT DICKENS |
| nlll.cf | Hosting phishing website used by COBALT DICKENS |
| clll.nl | Hosting phishing website used by COBALT DICKENS |
| llii.cf | Hosting phishing website used by COBALT DICKENS |
| etll.cf | Hosting phishing website used by COBALT DICKENS |
| 1edu.in | Hosting phishing website used by COBALT DICKENS |
| aill.cf | Hosting phishing website used by COBALT DICKENS |
| atna.cf | Hosting phishing website used by COBALT DICKENS |
| atti.cf | Hosting phishing website used by COBALT DICKENS |
| aztt.tk | Hosting phishing website used by COBALT DICKENS |
| cave.gq | Hosting phishing website used by COBALT DICKENS |
| ccli.cf | Hosting phishing website used by COBALT DICKENS |
| cnma.cf | Hosting phishing website used by COBALT DICKENS |
| cntt.cf | Hosting phishing website used by COBALT DICKENS |
| crll.tk | Hosting phishing website used by COBALT DICKENS |
| csll.cf | Hosting phishing website used by COBALT DICKENS |
| ctll.tk | Hosting phishing website used by COBALT DICKENS |
| cvnc.ga | Hosting phishing website used by COBALT DICKENS |
| cvve.cf | Hosting phishing website used by COBALT DICKENS |
| czll.tk | Hosting phishing website used by COBALT DICKENS |
| cztt.tk | Hosting phishing website used by COBALT DICKENS |
| euca.cf | Hosting phishing website used by COBALT DICKENS |
| euce.in | Hosting phishing website used by COBALT DICKENS |
| ezll.tk | Hosting phishing website used by COBALT DICKENS |
| ezplog.in | Hosting phishing website used by COBALT DICKENS |
| ezproxy.tk | Hosting phishing website used by COBALT DICKENS |
| eztt.tk | Hosting phishing website used by COBALT DICKENS |
| flll.cf | Hosting phishing website used by COBALT DICKENS |
| iell.tk | Hosting phishing website used by COBALT DICKENS |
| iull.tk | Hosting phishing website used by COBALT DICKENS |
| izll.tk | Hosting phishing website used by COBALT DICKENS |
| lett.cf | Hosting phishing website used by COBALT DICKENS |
| lib1.bid | Hosting phishing website used by COBALT DICKENS |
| lib1.pw | Hosting phishing website used by COBALT DICKENS |
| libb.ga | Hosting phishing website used by COBALT DICKENS |
| libe.ml | Hosting phishing website used by COBALT DICKENS |
| libg.cf | Hosting phishing website used by COBALT DICKENS |
| libg.ga | Hosting phishing website used by COBALT DICKENS |
| libg.gq | Hosting phishing website used by COBALT DICKENS |
| libloan.xyz | Hosting phishing website used by COBALT DICKENS |
| libnicinfo.xyz | Hosting phishing website used by COBALT DICKENS |
| libraryme.ir | Hosting phishing website used by COBALT DICKENS |
| libt.ml | Hosting phishing website used by COBALT DICKENS |
| libu.gq | Hosting phishing website used by COBALT DICKENS |
| lill.gq | Hosting phishing website used by COBALT DICKENS |
| llbt.tk | Hosting phishing website used by COBALT DICKENS |
| llib.ga | Hosting phishing website used by COBALT DICKENS |
| llic.cf | Hosting phishing website used by COBALT DICKENS |
| llic.tk | Hosting phishing website used by COBALT DICKENS |
| llil.cf | Hosting phishing website used by COBALT DICKENS |
| llit.cf | Hosting phishing website used by COBALT DICKENS |
| lliv.tk | Hosting phishing website used by COBALT DICKENS |
| llse.cf | Hosting phishing website used by COBALT DICKENS |
| ncll.tk | Hosting phishing website used by COBALT DICKENS |
| ncnc.cf | Hosting phishing website used by COBALT DICKENS |
| nctt.tk | Hosting phishing website used by COBALT DICKENS |
| necr.ga | Hosting phishing website used by COBALT DICKENS |
| nika.ga | Hosting phishing website used by COBALT DICKENS |
| nsae.ml | Hosting phishing website used by COBALT DICKENS |
| nuec.ml | Hosting phishing website used by COBALT DICKENS |
| rill.cf | Hosting phishing website used by COBALT DICKENS |
| rnva.cf | Hosting phishing website used by COBALT DICKENS |
| rtll.tk | Hosting phishing website used by COBALT DICKENS |
| sctt.cf | Hosting phishing website used by COBALT DICKENS |
| shibboleth.link | Hosting phishing website used by COBALT DICKENS |
| sitl.tk | Hosting phishing website used by COBALT DICKENS |
| slli.cf | Hosting phishing website used by COBALT DICKENS |
| till.cf | Hosting phishing website used by COBALT DICKENS |
| titt.cf | Hosting phishing website used by COBALT DICKENS |
| uill.cf | Hosting phishing website used by COBALT DICKENS |
| uitt.tk | Hosting phishing website used by COBALT DICKENS |
| ulibe.ml | Hosting phishing website used by COBALT DICKENS |
| ulibr.ga | Hosting phishing website used by COBALT DICKENS |
| umlib.ml | Hosting phishing website used by COBALT DICKENS |
| umll.tk | Hosting phishing website used by COBALT DICKENS |
| uni-lb.com | Hosting phishing website used by COBALT DICKENS |
| unll.tk | Hosting phishing website used by COBALT DICKENS |
| utll.tk | Hosting phishing website used by COBALT DICKENS |
| vsre.cf | Hosting phishing website used by COBALT DICKENS |
| web2lib.info | Hosting phishing website used by COBALT DICKENS |
| xill.tk | Hosting phishing website used by COBALT DICKENS |
| zedviros.ir | Hosting phishing website used by COBALT DICKENS |
| zill.cf | Hosting phishing website used by COBALT DICKENS |
Duncan is a technology professional with over 20 years experience of working in various IT roles. He has a interest in cyber security, and has a wide range of other skills in radio, electronics and telecommunications.