An Iranian cyber espionage campaign used spoofed identities of real academics at a UK university in phishing attacks designed to steal password details of experts in Middle Eastern affairs from universities, think tanks and the media.
Detailed by cybersecurity researchers at Proofpoint, who’ve dubbed it Operation SpoofedScholars, the campaign also compromised a university-affiliated website in an effort to deliver personalised credential harvesting pages to targets, under the guise of inviting them to speak in a webinar on Middle Eastern issues.
Proofpoint researchers have linked the phishing campaign to an Advanced Persistent Threat (APT) group they refer to as TA453 – also known as Charming Kitten and Phosphorus – a state-backed intelligence gathering operation working on behalf of the Islamic Revolutionary Guard Corps (IRGC), a branch of the Iranian armed forces.
The attackers used a Gmail addresses designed to look like they belonged to genuine academics at the University of London’s School of Oriental and African Studies (SOAS), exploiting trust in the names of real staff.
The attackers operating the email address sent messages to prospective targets, inviting them to an online conference on “The US Security Challenges in the Middle East”, including the offer to speak to the target on the phone to discuss details, which is unusual.
Eventually, the attackers sent a personalised “registration link” to their targets, sending them to what looked like a SOAS webinar platform.
This was hosted on a legitimate but compromised website belonging to University of London’s SOAS Radio – a website SOAS says is separate from the main SOAS website and not part of the official domain – which asked the user to sign in to the platform via an email address, with options of different links to click on depending on the choice of email hosting provider of the victim.
Options included Google, Yahoo, Microsoft, iCloud, Facebook and others – and if the user clicked on the link, they’d be taken to a spoofed version of the email provider’s login page, which the attackers could use to steal the username and password with the intention of espionage and additional phishing attacks.
The researchers are confident that the campaign is working out of Iran.
“Attribution specifically for Operation SpoofedScholars is based on similarities to previous TA453 campaigns and consistency with TA453’s historical targeting. TA453 often uses free email providers to spoof individuals familiar to their targets to increase the likelihood of successful compromise,” Sherrod DeGrippo, senior director of threat research and detection at Proofpoint told ZDNet.
“Additionally, TA453 concentrates their credential phishing to specific individuals of interest to collect intelligence through exfiltration of sensitive email and contacts or initial access for future phishing campaigns”.
It’s not known if the attackers have been successful in their attempts to steal information, but after being informed that the website was compromised, SOAS took action to remove it.
“Once we became aware of the dummy site earlier this year, we immediately remedied and reported the breach in the normal way. We have reviewed how this took place and taken steps to further improve protection of these sort of peripheral systems,” a SOAS spokesperson told ZDNet.
“To be clear, academic staff at SOAS of course have no involvement in this process, nor has any action or statement by SOAS staff led to them being spoofed in this way. There was no suggestion of breach of cybersecurity by any SOAS staff,” they said.
Iranian cyber operations have regularly targeted academics in the UK and it’s likely that they’ll return with further campaigns in future.
“Educational intuitions will remain prime targets due to high student, faculty and staff populations and turnover, coupled with ongoing independent research and the culture of openness and information-sharing,” said DeGrippo.
“It is vital that educational institutions make security awareness training and people-centric cybersecurity solutions a priority to aid staff with the ability to identify phishing pages,” she added.
MORE ON CYBERSECURITY