Security researchers at Proofpoint recently discovered an Iranian hacker group- TA453, who masqueraded as British scholars, hacked the website of an institution associated with the University of London, and attempted to phish a large number of experts and professors to steal their credentials.
The hacker group, assessed by Proofpoint as a supporter of Iran’s Islamic Revolutionary Guard Corps (IRGC), kickstarted their credential-stealing phishing operation, dubbed Operation SpoofedScholars, by masquerading as UK scholars with the University of London’s School of Oriental and African Studies (SOAS).
To make their conversations with their intended victims appear genuine, TA453 actually hacked a legitimate website run by the School of Oriental and African Studies, created personalized credential harvesting pages disguised as registration links, and sent emails to victims, inviting them to attend an online conference called “The US Security Challenges in the Middle East.”
According to Proofpoint, the list of people targeted by TA453 included “experts in Middle Eastern affairs from think tanks, senior professors from well-known academic institutions, and journalists specializing in Middle Eastern coverage.” The hackers reportedly engaged with the invitees in long conversations and in some cases, even offered to converse via video conferencing.
One of the emails sent out by the hacker group and studied by Proofpoint indicated that the sender, who assumed the identity of “Dr.Hanns Bjoern Kendel, Senior Teaching and Research Fellow at SOAS University in London,” sent personal invitations to experts and scholars using a Gmail account.
The email solicited recipients to participate in the webinar conducted by SOAS University of London as main speakers. To confirm their participation, recipients were asked to click on a registration link, type in their personal details and share their bank account information where their Honorarium could be deposited.
Proofpoint said that the targeted victims, who are either journalists, domain experts, or professors, have information of interest to the Iranian government, including, but not limited to, information about foreign policy, insights into Iranian dissident movements, and understanding of U.S. nuclear negotiations. The targets were carefully selected and many of them were targeted by TA453 previously.
“The tactics and techniques used by the group and their overall targeting detected by Proofpoint is in line with IRGC intelligence collection priorities, which gives us high confidence in our assessment that TA453 operates in support of the IRGC,” the firm said.
“According to the Meir Amit Intelligence and Terrorism Information Center’s November 2020 report, some of the IRGC IO’s responsibilities include foiling political subversion, combating western cultural penetration, and supporting the arrest of Iranian dual nationals.”
Sam Curry, the chief security officer at Cybereason, said the sophistication in this newest attack is interesting in that the threat actors connected via phone with the victims making their ruse more believable. In general, nation-states will stop at nothing to steal personal information, conduct espionage and look to gain an upper hand on the world stage.
“The sophistication in this newest attack is interesting in that the threat actors connected via phone with the victims making their ruse more believable. In general, nation-states will stop at nothing to steal personal information, conduct espionage and look to gain an upper hand on the world stage.”
“This attack heavily relied on social engineering, and so, highlights the need for institutions to educate staff and students by running phishing exercises and raising awareness of the latest attack vectors through threat intelligence research. In much the same way that dirt is good for the immune system, exposing employees to the techniques used by cyber attackers is extremely important,” says Lewis Jones, Threat Intelligence Analyst at Talion.