Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

Iranian Hackers Impersonate British Scholars in Recent Campaign

In a recent attack campaign, the Iran-linked threat actor tracked as TA453 has been posing as UK scholars with the University of London’s School of Oriental and African Studies (SOAS) to engage targets of interest and steal their credentials, security researchers with Proofpoint reveal.

In a recent attack campaign, the Iran-linked threat actor tracked as TA453 has been posing as UK scholars with the University of London’s School of Oriental and African Studies (SOAS) to engage targets of interest and steal their credentials, security researchers with Proofpoint reveal.

Referred to as Operation SpoofedScholars, the campaign has been ongoing since at least January 2021, with a focus on harvesting sensitive information from individuals of interest, such as senior professors from well-known academic institutions and people focusing on the Middle East, including experts working with think tanks and journalists.

Believed to be supporting the information collection efforts of the Iranian Revolutionary Guard Corps (IRGC), TA453 engaged in benign conversations with their targets, up to the point when they served a ‘registration link’ leading to a legitimate, albeit compromised website of University of London’s SOAS radio.

In one attack in early 2021, the hackers used a fake persona, “Dr.Hanns Bjoern Kendel, Senior Teaching and Research Fellow at SOAS University in London,” to engage with targets and invite them to a fake conference. The hackers showed willingness to chat with their targets over the phone or through video conferencing software, repeatedly demonstrating “a desire to connect with the target in real-time,” Proofpoint says.

In one instance, the adversary was observed sending a credential harvesting email to a target’s personal account, but without masquerading as Dr. Kendel. Intended victims were senior think tank employees, journalists covering Middle Eastern affairs, and academic professors. Overall, less than ten organizations were targeted.

“These groupings consistently have information of interest to the Iranian government, including, but not limited to, information about foreign policy, insights into Iranian dissident movements, and understanding of U.S. nuclear negotiations, and most of the identified targets have been previously targeted by TA453,” Proofpoint says.

In addition to the spoofing of scholars, an element specific to this campaign is the use of the compromised website of a world class academic institution, in an attempt to give legitimacy to the phishing attempt and increase the chances of success.

Proofpoint expects TA453 to continue abusing legitimate infrastructure in future attacks, as well as to spoof scholars in future attacks aimed at supporting its intelligence collection in support of Iranian government interests.

“Academics, journalists, and think tank personnel should practice caution and verify the identity of the individuals offering them unique opportunities,” Proofpoint concludes.

Also tracked as APT35, Ajax Security Team, Charming Kitten, ITG18, NewsBeef, Newscaster, and Phosphorus, TA453 has been active for at least a decade, mainly focused on entities in the Middle East, the U.K., and the U.S., including activists, journalists, and others.

Earlier this year, the threat actor was observed targeting senior medical professionals in the United States and Israel. Last year, it targeted attendees of policy conferences such as the Munich Security Conference and the Think 20 (T20) Summit, Israeli scholars and US government employees, and the World Health Organization (WHO).

Related: “Cyber Disruption” Stops Websites of Iranian Ministry

Related: US Takes Down Iran-linked News Sites, Alleges Disinformation

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content

Cybercrime

Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Cybercrime

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Cyberwarfare

Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Cybercrime

A new study by McAfee and the Center for Strategic and International Studies (CSIS) named a staggering figure as the true annual cost of...

Cybercrime

The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.

Cyberwarfare

Iranian APT Moses Staff is leaking data stolen from Saudi Arabia government ministries under the recently created Abraham's Ax persona

Cybercrime

Video games developer Riot Games says source code was stolen from its development environment in a ransomware attack

Cybercrime

CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.