In a recent attack campaign, the Iran-linked threat actor tracked as TA453 has been posing as UK scholars with the University of London’s School of Oriental and African Studies (SOAS) to engage targets of interest and steal their credentials, security researchers with Proofpoint reveal.
Referred to as Operation SpoofedScholars, the campaign has been ongoing since at least January 2021, with a focus on harvesting sensitive information from individuals of interest, such as senior professors from well-known academic institutions and people focusing on the Middle East, including experts working with think tanks and journalists.
Believed to be supporting the information collection efforts of the Iranian Revolutionary Guard Corps (IRGC), TA453 engaged in benign conversations with their targets, up to the point when they served a ‘registration link’ leading to a legitimate, albeit compromised website of University of London’s SOAS radio.
In one attack in early 2021, the hackers used a fake persona, “Dr.Hanns Bjoern Kendel, Senior Teaching and Research Fellow at SOAS University in London,” to engage with targets and invite them to a fake conference. The hackers showed willingness to chat with their targets over the phone or through video conferencing software, repeatedly demonstrating “a desire to connect with the target in real-time,” Proofpoint says.
In one instance, the adversary was observed sending a credential harvesting email to a target’s personal account, but without masquerading as Dr. Kendel. Intended victims were senior think tank employees, journalists covering Middle Eastern affairs, and academic professors. Overall, less than ten organizations were targeted.
“These groupings consistently have information of interest to the Iranian government, including, but not limited to, information about foreign policy, insights into Iranian dissident movements, and understanding of U.S. nuclear negotiations, and most of the identified targets have been previously targeted by TA453,” Proofpoint says.
In addition to the spoofing of scholars, an element specific to this campaign is the use of the compromised website of a world class academic institution, in an attempt to give legitimacy to the phishing attempt and increase the chances of success.
Proofpoint expects TA453 to continue abusing legitimate infrastructure in future attacks, as well as to spoof scholars in future attacks aimed at supporting its intelligence collection in support of Iranian government interests.
“Academics, journalists, and think tank personnel should practice caution and verify the identity of the individuals offering them unique opportunities,” Proofpoint concludes.
Also tracked as APT35, Ajax Security Team, Charming Kitten, ITG18, NewsBeef, Newscaster, and Phosphorus, TA453 has been active for at least a decade, mainly focused on entities in the Middle East, the U.K., and the U.S., including activists, journalists, and others.
Earlier this year, the threat actor was observed targeting senior medical professionals in the United States and Israel. Last year, it targeted attendees of policy conferences such as the Munich Security Conference and the Think 20 (T20) Summit, Israeli scholars and US government employees, and the World Health Organization (WHO).
Related: “Cyber Disruption” Stops Websites of Iranian Ministry
Related: US Takes Down Iran-linked News Sites, Alleges Disinformation