Security researchers believe that the Iranian hackers charged in the US last week for hacking into 300 global universities were experienced phishers.
Cyber security firm PhishLabs, which identified the group and assisted US authorities on their arrests, has since found that the hackers were behind a string of sophisticated phishing campaigns in the past.
Furthermore, they had apparently used the same phishing techniques for years without needing to change them.
Last week, US Deputy Attorney General Rod Rosenstein indicted nine Iranians who formed part of a hacking group called Mabna Institute.
The prosecutors claim that they hacked into hundreds of universities, government organisations and companies globally, stealing 31 terabytes of data.
Carne Hassold, director of threat intelligence, said: "The information stolen from these universities was used by the Islamic Revolutionary Guard Corps (IRGC) or sold for profit inside Iran."
He estimated the total cost of the campaign to the universities of $3.4 billion, although didn't reveal how he arrived at that sum.
Now, the cyber security firm has discovered more information about the Iranian hacking group's history. It is believed that the hackers used the same phishing attack for four years.
The technique only began to change by the end of 2017, when minor spelling error corrections were made. However, most of the phishing messages remained unchanged.
In the campaign, the group would prey on university students, sending emails from the institution's network asking them to change their library account details.
Hassold said the "lures constructed by 'Silent Librarian' are remarkably authentic-looking". He added: "Spelling and grammar, two of the primary indicators of a malicious email, are nearly perfect.
"The message in the lures are contextually legitimate, meaning it is an email a recipient could be reasonably expected to receive."
While the emails addresses were fake, they looked like they had been sent by university officials. They also contained domain links imitating the library website and the names of librarians.
"Silent Librarian phishing campaigns [and] tactics have barely changed over time. Outside the correction of a few minor spelling errors, the content of the phishing lures has remained incredibly consistent," Hassold added.
"The likely reason for this consistency is that the success rate of campaigns using these lures was high enough that there was no need for them to evolve."
Dr Kuan Hon criticises GDPR consent emails that will only eviscerate marketing databases and 'media misinformation'
Apple squashes Steam Link app on 'business conflicts' grounds
Philip Hammond wants to forget rules that the UK agreed with the EU to ban non-European companies from the satellites
Instapaper to 'go dark' in Europe until it can work out GDPR compliance