In 2018, the FBI announced that hundreds of universities worldwide were compromised by a massive cyber-theft campaign backed by the Iranian government; 42 were in Canada, and one of them was at Western.
The Mabna Institute, supported by the Islamic Revolutionary Guard Corps, tasked nine men in 2013 to harvest universities’ intellectual property and funnel it back to Iranian institutions — all nine are now on the Federal Bureau of Investigation's Most Wanted list.
Documents obtained by the Gazette reveal the extent to which Western University was both targeted and compromised by the campaign waged by the Iranian armed forces in 2014, a year into the attacks. According to emails sent by the Canadian government to universities, Western researchers were hand-picked for their work, and the hackers sought to hijack their university email accounts to access it.
Mabna’s campaign was eventually dubbed “Silent Librarian."
Though Western, as a research university, is familiar with cyber-espionage threats, it is rare they are targeted by a foreign nation, and even rarer that their defences are breached.
The Silent Librarian logs on
Emails sent by the Canadian Cyber Incident Response Centre detail the methods Mabna used to infiltrate universities’ digital architecture, including specific accounts the attackers used as cover for their theft.
Though the attacks took place in 2014, Canadian universities were first contacted by the government in March 2018. An email sent to a mailing list of university cybersecurity officials revealed the Iranian military was behind an attack the officials had likely detected, but not pin-pointed to a culprit.
“[We are] aware of public reports surrounding malicious cybersecurity activities directed at multiple universities internationally,” one email reads. “[We have] received information from trusted sources on related activities affecting Canadian universities.”
The March 2018 email summarized the “Typical Victim Environment” of compromised accounts, including that the “vast majority” of targets used Microsoft Outlook accounts and configured their mail to be synchronized or forwarded to different accounts or devices.
Of the 320 universities targeted globally, 42 were Canadian. The cost to Canadian schools is unknown, though it cost 114 American universities $3.4 billion USD.
Western corresponded directly with the CCIRC, now called the Canadian Centre for Cyber Security, and the government described what had been compromised; though Western had detected the attacks at the time, the university was unaware it was a state-sponsored effort.
In all, at least 40 Western researchers across four departments were listed with “research of interest," whose accounts were consequently targeted. At least seven were compromised.
Twelve people from Western’s nursing department were targeted, and two accounts were compromised. From biology, another 12 were targeted with only one breach. Eleven were targeted in chemistry, with four breaches. Nine were targeted from economics, but none were compromised.
With the accounts commandeered, Western’s library proxy was breached and resources were harvested by an Iranian IP-address.
“We caught it early, we expired the accounts, but they had logged on to the library catalogue system before we had closed all of them off,” explains Colin Couchman, Western’s director of Cyber Security and Business Services.
“I can’t speak to what it is they copied, but they got access to some of those journals.”
Advanced Persistent Threat
On March 23, 2018, a New York grand jury indicted the nine men after an FBI investigation concluded they had conducted the cyber-theft campaign on behalf of the Islamic Revolutionary Guard Corps. They were charged with conspiracy, computer intrusions, wire fraud, unauthorized computer access and identity theft.
The defendants are members of Mabna, an Iranian education company that acts as a “pirated JSTOR” for the country’s academic and research spheres. Mabna stole more than 31 terabytes of data from universities alone. Printing out that much data would take the paper from 1.5 million trees.
It is one of the largest state-sponsored hacking campaigns ever prosecuted by the U.S. Department of Justice, according to the indictment.
The Islamic Revolutionary Guard Corps is a special branch of the country’s military: the Guard is a common actor in the realm of cyber espionage and disinformation. According to the European Union Agency for Network and Information Security, Iran is one of “the three most capable and active cyber actors tied to economic espionage,” alongside China and Russia.
They are considered an APT by the cybersecurity community — advanced persistent threat.
Mabna targeted universities in 22 countries. They also attacked 46 private companies, the state governments of Hawaii and Indiana and the United Nations.
University libraries pay steeply to access online intellectual property and to guard that access behind a proxy which requires username and password authentication. Foreign governments target universities to bring this access to their own institutions illegitimately.
This was the plan of Silent Librarian: get login info, use it to access intellectual property, steal it and sell it.
Mabna hijacked access to journals, dissertations, theses and other data. Property from countless fields of research were targeted and exfiltrated to foreign servers. The institute targeted more than 100,000 accounts, 8,000 of which were compromised — across Australia, Denmark, Germany, Singapore, Canada and more.
To get the account credentials, Mabna targeted them with the common cybercrime technique of phishing.
Phishing tries to trick targets into revealing personal information — often login credentials — through individuals posing as legitimate sources. Attackers send wide nets of malicious emails to a high number of recipients with the hopes that a handful will hand over their information.
Spear phishing is a more deceptive and focused version of phishing, which typically targets a smaller group of victims and disguises its sender as a member of their group. Instead of sending a vague email to many recipients, spear phishing hand-picks individuals with personalised emails, often disguised as messages from friends or colleagues.
“We detect these [campaigns] fairly quickly and fairly well, but there are lots of instances over the years where phishing campaigns have been successful,” said Couchman.
He added that around 10 individuals at Western fall for phishing scams every month.
“The people out there that are trying to get into these institutions, that’s all they do,” says Couchman. “They spend their entire day trying to figure out how to get access to these environments.”
Cybercriminals will often spoof their email addresses to appear more legitimate. Spear phishing emails sent to Western students will often appear to be sent from an @uwo.ca email address, explains Couchman.
Like most phishing emails, the Silent Librarian attacks used deceptive hyperlinks to redirect victims from a seemingly innocuous email to websites propped-up by the Mabna institute, which were made to appear like Western’s own sites.
The purpose of these websites was to harvest the login credentials of victims, who had been led to believe that they were authentic Western pages.
Documents reveal the institute mimicked Western’s URLs to further the disguise themselves.
For example, one of the cloned URLs begins:
Whereas a similar, legitimate Western Libraries URL is:
According to Couchman, these attacks are common across universities. However, state-sponsored cyber activity, like the Mabna attacks, is a rare occurrence.
Western uses an array of technologies to detect attacks and intrusions, says Couchman. One approach used is Security Information and Event Management, which aggregates data across the network and looks for deviations from normal activity. Once an anomaly is detected, SIEM can notify the system’s administrators and take action to remedy the threat.
“We use these tools to detect where things are coming into the organization and to remedy those particular attack points accordingly,” explains Couchman.
Once Western Technology Services detects a compromised account, standard procedure is to freeze the suspected account and force a password change, which can only be initiated by the user calling the WTS helpdesk and verifying their identity.
If WTS detects a compromised system, each affected department and campus is notified. The WTS also has the ability to remotely isolate and lock out an affected server from the organization.
Apart from Western’s internal security apparatus, the university also relies on other Canadian universities, which share information around threats as they emerge. Additionally, Western receives threat warnings from the CCCS, such as the warning that the 2014 attacks were related to the Mabna Institute.