In a sophisticated phishing campaign, the group TA453 masqueraded as British university scholars to covertly target individuals of intelligence interest to the Iranian government.

An Iranian cyber-espionage campaign using spoofed identities of academics at a UK university to harvest data from various experts in Middle Eastern affairs has been uncovered.

Detailed by researchers at the cyber-security firm Proofpoint, the Iranian group was found to have compromised a real website affiliated with the School of Oriental and African Studies (SOAS), University of London, in an effort to deliver personalised credential-harvesting pages to targets under the guise of inviting them to a webinar on Middle Eastern issues.

Dubbed “SpoofedScholars”, Proofpoint revealed how hackers tried to establish communication with invites to fake conferences or events, and went as far as to request calls with the targets.

Proofpoint researchers linked the phishing campaign to an Advanced Persistent Threat (APT) group referred to as TA453 – also known as Charming Kitten and Phosphorus – they believe with “high confidence” to be a state-backed intelligence-gathering operation connected to the Islamic Revolutionary Guard Corps (IRGC), a wing of Iran’s armed forces.

What makes the group’s latest campaign concerning is how its tactics have evolved in complexity within a short period of time.

“TA453 typically uses actor controlled phishing pages to harvest their targets’ credentials, similar to the BadBlood campaign we reported on in March 2021,” said Sherrod DeGrippo, senior director of threat research and detection at Proofpoint.

“The use of a compromised site, especially one so topical like SOAS to TA453’s interest, is highly unusual and more sophisticated for this group,” she told TRT World.

In January 2021, emails sent from a Gmail address claiming to be from a senior teaching and research fellow at SOAS invited people to an online conference called “The US Security Challenges in the Middle East”.

TA453 sent an initial email trying to entice its target with a prospective invitation to an online conference.
TA453 sent an initial email trying to entice its target with a prospective invitation to an online conference. (Proofpoint)

Once a conversation was established, targets were then sent a “registration link” hosted by a dummy website belonging to SOAS radio, an independent online radio station based at SOAS, which was compromised by the hackers. It then offered log-on options via various email clients that could capture passwords and usernames.

It’s unclear whether the attackers were successful in stealing any information. After being informed, SOAS said no personal information was acquired and the compromised radio website was separate from its official website.

“No personal information was obtained from SOAS, and none of our data systems (eg. staff and student records, financial information, emails and core website and so on) were involved or affected by this,” the university told TRT World in a statement.

“Once we became aware of the dummy site earlier this year, we immediately remedied and reported the breach in the normal way. We have reviewed how this took place and taken steps to further improve protection of these sorts of peripheral systems.”

The compromised SOAS-related website invited people to register as a way of capturing their passwords and user names.
The compromised SOAS-related website invited people to register as a way of capturing their passwords and user names. (Proofpoint)

DeGrippo identifies TA453’s effort to leverage a prominent educational institution to carry out the campaign and engage its targets in real-time conversation, pointing to a new strategy.

In one instance the attackers suggested to a recipient that they connect via videoconference, which Proofpoint believed demonstrated the group’s confidence in its English skills and in impersonation.

“The use of legitimate, but compromised, infrastructure represents an increase in TA453’s sophistication and will almost certainly be reflected in future campaigns,” DeGrippo predicts, adding that it will continue to iterate, innovate and collect data in support of IRGC’s priorities.

Overall, the operation was highly targeted, with less than ten organisations contacted from mainly the US and UK. In their crosshairs were journalists focused on the Middle East, senior think tank personnel working on the region, and university professors.

It’s believed those targets were singled out because of the information they might have possessed related to their country’s foreign policy towards Iran, negotiations over Iran’s nuclear programme, or information related to Iranian dissidents.

UK academics have frequently been targeted by Iranian cyber operations in the past, and future campaigns are likely to continue taking aim at students and staff to gain access to sensitive data stored in university information systems.

“Education institutions will remain prime targets due to high student, faculty and staff populations and turnover, coupled with ongoing independent research and the culture of openness and information-gathering,” said DeGrippo.

“It is vital that educational institutions make security awareness training and people-centric cybersecurity solutions a priority to aid staff with the ability to identify phishing pages.”

Source: TRT World