New Silent Librarian Phishing Campaigns

Back in 2018, the US Justice Department indicted nine Iranians in what was described as the “largest state-sponsored hacking campaigns ever prosecuted by the Department of Justice”. The indicted individuals came to be known collectively as “Silent Librarian” or “COBALT DICKENS,” and according to Secureworks, the group launched new global phishing campaigns in July and August 2019.

In a statement issued in March 2018 the Department of Justice said “Today, in one of the largest state-sponsored hacking campaigns ever prosecuted by the Department of Justice, we have unmasked criminals who normally hide behind the ones and zeros of computer code,” said U.S. Attorney Berman.  “As alleged, this massive and brazen cyber-assault on the computer systems of hundreds of universities in 22 countries and dozens of private sector companies and governmental organizations was conducted on behalf of Iran’s Islamic Revolutionary Guard. 

The hackers targeted innovations and intellectual property from our country’s greatest minds.  These defendants are now fugitives from American justice, no longer free to travel outside Iran without risk of arrest.  The only way they will see the outside world is through their computer screens, but stripped of their greatest asset – anonymity.”   

Similar to the previous campaigns, the group uses compromised university accounts and resources to send phishing emails, which are library-themed and contain links to fake login pages associated with the university being targeted. In the new campaigns, there are some sixty universities located in Australia, Canada, Hong Kong, the UK, US and Switzerland being targeted using at least twenty new domains with many of the domains having valid SSL certificates.

Many of these domains use valid SSL certificates, likely to make the spoofed pages appear authentic. The overwhelming majority of the certificates observed in 2019 were issued by Let’s Encrypt, a nonprofit organization that programmatically issues free certificates. However, past campaigns used certificates issued by the Comodo certificate authority.

mlibo.ml Hosting phishing website used by COBALT DICKENS for August/July 2019 operations
blibo.ga Hosting phishing website used by COBALT DICKENS for August/July 2019 operations
azll.cf Hosting phishing website used by COBALT DICKENS for August/July 2019 operations
azlll.cf Hosting phishing website used by COBALT DICKENS for August/July 2019 operations
lzll.cf Hosting phishing website used by COBALT DICKENS for August/July 2019 operations
jlll.cf Hosting phishing website used by COBALT DICKENS for August/July 2019 operations
elll.cf Hosting phishing website used by COBALT DICKENS for August/July 2019 operations
lllib.cf Hosting phishing website used by COBALT DICKENS for August/July 2019 operations
tsll.cf Hosting phishing website used by COBALT DICKENS for August/July 2019 operations
ulll.tk Hosting phishing website used by COBALT DICKENS for August/July 2019 operations
tlll.cf Hosting phishing website used by COBALT DICKENS for August/July 2019 operations
libt.ga Hosting phishing website used by COBALT DICKENS for August/July 2019 operations
libk.ga Hosting phishing website used by COBALT DICKENS for August/July 2019 operations
libf.ga Hosting phishing website used by COBALT DICKENS for August/July 2019 operations
libe.ga Hosting phishing website used by COBALT DICKENS for August/July 2019 operations
liba.gq Hosting phishing website used by COBALT DICKENS for August/July 2019 operations
libver.ml Hosting phishing website used by COBALT DICKENS for August/July 2019 operations
ntll.tk Hosting phishing website used by COBALT DICKENS for August/July 2019 operations
ills.cf Hosting phishing website used by COBALT DICKENS for August/July 2019 operations
vtll.cf Hosting phishing website used by COBALT DICKENS for August/July 2019 operations
clll.tk Hosting phishing website used by COBALT DICKENS for August/July 2019 operations
stll.tk Hosting phishing website used by COBALT DICKENS for August/July 2019 operations
llii.xyz Hosting phishing website used by COBALT DICKENS
lill.pro Hosting phishing website used by COBALT DICKENS
eduv.icu Hosting phishing website used by COBALT DICKENS
univ.red Hosting phishing website used by COBALT DICKENS
unir.cf Hosting phishing website used by COBALT DICKENS
unir.gq Hosting phishing website used by COBALT DICKENS
unisv.xyz Hosting phishing website used by COBALT DICKENS
unir.ml Hosting phishing website used by COBALT DICKENS
unin.icu Hosting phishing website used by COBALT DICKENS
unie.ml Hosting phishing website used by COBALT DICKENS
unip.gq Hosting phishing website used by COBALT DICKENS
unie.ga Hosting phishing website used by COBALT DICKENS
unip.cf Hosting phishing website used by COBALT DICKENS
nimc.ga Hosting phishing website used by COBALT DICKENS
nimc.ml Hosting phishing website used by COBALT DICKENS
savantaz.cf Hosting phishing website used by COBALT DICKENS
unie.gq Hosting phishing website used by COBALT DICKENS
unip.ga Hosting phishing website used by COBALT DICKENS
unip.ml Hosting phishing website used by COBALT DICKENS
unir.ga Hosting phishing website used by COBALT DICKENS
untc.me Hosting phishing website used by COBALT DICKENS
jhbn.me Hosting phishing website used by COBALT DICKENS
unts.me Hosting phishing website used by COBALT DICKENS
uncr.me Hosting phishing website used by COBALT DICKENS
lib-service.com Hosting phishing website used by COBALT DICKENS
unvc.me Hosting phishing website used by COBALT DICKENS
untf.me Hosting phishing website used by COBALT DICKENS
nimc.cf Hosting phishing website used by COBALT DICKENS
anvc.me Hosting phishing website used by COBALT DICKENS
ebookfafa.com Hosting phishing website used by COBALT DICKENS
nicn.gq Hosting phishing website used by COBALT DICKENS
untc.ir Hosting phishing website used by COBALT DICKENS
librarylog.in Hosting phishing website used by COBALT DICKENS
llli.nl Hosting phishing website used by COBALT DICKENS
lllf.nl Hosting phishing website used by COBALT DICKENS
libg.tk Hosting phishing website used by COBALT DICKENS
ttil.nl Hosting phishing website used by COBALT DICKENS
llil.nl Hosting phishing website used by COBALT DICKENS
lliv.nl Hosting phishing website used by COBALT DICKENS
llit.site Hosting phishing website used by COBALT DICKENS
flil.cf Hosting phishing website used by COBALT DICKENS
e-library.me Hosting phishing website used by COBALT DICKENS
cill.ml Hosting phishing website used by COBALT DICKENS
fill.cf Hosting phishing website used by COBALT DICKENS
libm.ga Hosting phishing website used by COBALT DICKENS
eill.cf Hosting phishing website used by COBALT DICKENS
llib.cf Hosting phishing website used by COBALT DICKENS
eill.ga Hosting phishing website used by COBALT DICKENS
nuec.cf Hosting phishing website used by COBALT DICKENS
illl.cf Hosting phishing website used by COBALT DICKENS
cnen.cf Hosting phishing website used by COBALT DICKENS
aill.nl Hosting phishing website used by COBALT DICKENS
eill.nl Hosting phishing website used by COBALT DICKENS
mlib.cf Hosting phishing website used by COBALT DICKENS
ulll.cf Hosting phishing website used by COBALT DICKENS
nlll.cf Hosting phishing website used by COBALT DICKENS
clll.nl Hosting phishing website used by COBALT DICKENS
llii.cf Hosting phishing website used by COBALT DICKENS
etll.cf Hosting phishing website used by COBALT DICKENS
1edu.in Hosting phishing website used by COBALT DICKENS
aill.cf Hosting phishing website used by COBALT DICKENS
atna.cf Hosting phishing website used by COBALT DICKENS
atti.cf Hosting phishing website used by COBALT DICKENS
aztt.tk Hosting phishing website used by COBALT DICKENS
cave.gq Hosting phishing website used by COBALT DICKENS
ccli.cf Hosting phishing website used by COBALT DICKENS
cnma.cf Hosting phishing website used by COBALT DICKENS
cntt.cf Hosting phishing website used by COBALT DICKENS
crll.tk Hosting phishing website used by COBALT DICKENS
csll.cf Hosting phishing website used by COBALT DICKENS
ctll.tk Hosting phishing website used by COBALT DICKENS
cvnc.ga Hosting phishing website used by COBALT DICKENS
cvve.cf Hosting phishing website used by COBALT DICKENS
czll.tk Hosting phishing website used by COBALT DICKENS
cztt.tk Hosting phishing website used by COBALT DICKENS
euca.cf Hosting phishing website used by COBALT DICKENS
euce.in Hosting phishing website used by COBALT DICKENS
ezll.tk Hosting phishing website used by COBALT DICKENS
ezplog.in Hosting phishing website used by COBALT DICKENS
ezproxy.tk Hosting phishing website used by COBALT DICKENS
eztt.tk Hosting phishing website used by COBALT DICKENS
flll.cf Hosting phishing website used by COBALT DICKENS
iell.tk Hosting phishing website used by COBALT DICKENS
iull.tk Hosting phishing website used by COBALT DICKENS
izll.tk Hosting phishing website used by COBALT DICKENS
lett.cf Hosting phishing website used by COBALT DICKENS
lib1.bid Hosting phishing website used by COBALT DICKENS
lib1.pw Hosting phishing website used by COBALT DICKENS
libb.ga Hosting phishing website used by COBALT DICKENS
libe.ml Hosting phishing website used by COBALT DICKENS
libg.cf Hosting phishing website used by COBALT DICKENS
libg.ga Hosting phishing website used by COBALT DICKENS
libg.gq Hosting phishing website used by COBALT DICKENS
libloan.xyz Hosting phishing website used by COBALT DICKENS
libnicinfo.xyz Hosting phishing website used by COBALT DICKENS
libraryme.ir Hosting phishing website used by COBALT DICKENS
libt.ml Hosting phishing website used by COBALT DICKENS
libu.gq Hosting phishing website used by COBALT DICKENS
lill.gq Hosting phishing website used by COBALT DICKENS
llbt.tk Hosting phishing website used by COBALT DICKENS
llib.ga Hosting phishing website used by COBALT DICKENS
llic.cf Hosting phishing website used by COBALT DICKENS
llic.tk Hosting phishing website used by COBALT DICKENS
llil.cf Hosting phishing website used by COBALT DICKENS
llit.cf Hosting phishing website used by COBALT DICKENS
lliv.tk Hosting phishing website used by COBALT DICKENS
llse.cf Hosting phishing website used by COBALT DICKENS
ncll.tk Hosting phishing website used by COBALT DICKENS
ncnc.cf Hosting phishing website used by COBALT DICKENS
nctt.tk Hosting phishing website used by COBALT DICKENS
necr.ga Hosting phishing website used by COBALT DICKENS
nika.ga Hosting phishing website used by COBALT DICKENS
nsae.ml Hosting phishing website used by COBALT DICKENS
nuec.ml Hosting phishing website used by COBALT DICKENS
rill.cf Hosting phishing website used by COBALT DICKENS
rnva.cf Hosting phishing website used by COBALT DICKENS
rtll.tk Hosting phishing website used by COBALT DICKENS
sctt.cf Hosting phishing website used by COBALT DICKENS
shibboleth.link Hosting phishing website used by COBALT DICKENS
sitl.tk Hosting phishing website used by COBALT DICKENS
slli.cf Hosting phishing website used by COBALT DICKENS
till.cf Hosting phishing website used by COBALT DICKENS
titt.cf Hosting phishing website used by COBALT DICKENS
uill.cf Hosting phishing website used by COBALT DICKENS
uitt.tk Hosting phishing website used by COBALT DICKENS
ulibe.ml Hosting phishing website used by COBALT DICKENS
ulibr.ga Hosting phishing website used by COBALT DICKENS
umlib.ml Hosting phishing website used by COBALT DICKENS
umll.tk Hosting phishing website used by COBALT DICKENS
uni-lb.com Hosting phishing website used by COBALT DICKENS
unll.tk Hosting phishing website used by COBALT DICKENS
utll.tk Hosting phishing website used by COBALT DICKENS
vsre.cf Hosting phishing website used by COBALT DICKENS
web2lib.info Hosting phishing website used by COBALT DICKENS
xill.tk Hosting phishing website used by COBALT DICKENS
zedviros.ir Hosting phishing website used by COBALT DICKENS
zill.cf Hosting phishing website used by COBALT DICKENS

Duncan Newell

Duncan is a technology professional with over 20 years experience of working in various IT roles. He has a interest in cyber security, and has a wide range of other skills in radio, electronics and telecommunications.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: