Clankerusecase
Threat-actor profile
 ← Back to main site
Home/ Threat Actors/ Silent Librarian

🌐Silent Librarian

🌐 Silent Librarian is a tracked threat actor in the Clankerusecase corpus. ??-aligned. Primary motivation: Unknown. We map 14 detection use cases to this actor across 13 MITRE ATT&CK techniques, with 0 threat-intel articles citing them.

View full actor card → All threat actors MITRE ATT&CK group spec (G0122) ↗
14Use cases
0Articles
13Techniques
0IOCs

About this actor (MITRE)

[Silent Librarian](https://attack.mitre.org/groups/G0122) is a group that has targeted research and proprietary data at universities, government agencies, and private sector companies worldwide since at least 2013. Members of [Silent Librarian](https://attack.mitre.org/groups/G0122) are known to have been affiliated with the Iran-based Mabna Institute which has conducted cyber intrusions at the behest of the government of Iran, specifically the Islamic Revolutionary Guard Corps (IRGC).(Citation: DOJ Iran Indictments March 2018)(Citation: Phish Labs Silent Librarian)(Citation: Malwarebytes Sil

Known aliases

Silent LibrarianTA407COBALT DICKENS

Top techniques

T1078 · Valid AccountsT1110.003 · Password SprayingT1114 · Email Collection

All other tracked techniques

T1114.003 · Email Forwarding RuleT1583.001 · DomainsT1585.002 · Email AccountsT1588.002 · ToolT1588.004 · Digital CertificatesT1589.002 · Email AddressesT1589.003 · Employee NamesT1594 · Search Victim-Owned WebsitesT1598.003 · Spearphishing LinkT1608.005 · Link Target

Detection use cases (14)

Silent Librarian (TA407 / COBALT DICKENS) university library-portal phishing → credential reuse from clicker IP AI · profile S Silent Librarian post-compromise mailbox auto-forward (T1114.003) on academic accounts AI · profile S 1Password impossible-travel sign-in MITRE match Atlassian administrator impersonating user MITRE match Auth0 anomalous attack-protection event spike MITRE match AWS Console login without MFA + impossible travel MITRE match Click on URL whose host doesn't match the sender domain MITRE match Credential-stuffing attack on application MITRE match GitLab password reset from suspicious IP MITRE match Google Workspace email auto-forwarding to external domain MITRE match M365 mail-forwarding rule created MITRE match Okta user account locked MITRE match AWS High Number Of Failed Authentications From Ip MITRE match Cisco ASA - User Account Lockout Threshold Exceeded MITRE match