Iranian hackers pose as hackers to target professors and writers in the Middle east. According to security firm Proofpoint advanced persistent threat tracked as TA453, which is also known by the aliases APT35 (FireEye), Charming Kitten (ClearSky), and Phosphorous (Microsoft) dubbed as “Operation Spoofed Scholars” campaign is being carried out by the government cyber warfare group on behalf of the Islamic Revolutionary Guard Corps (IRGC).
According to Proofpoint, the campaign shows a new escalation and sophistication in TA453’s methods. The campaign targets experts in Middle Eastern affairs from think tanks, senior professors from well-known academic institutions, and journalists specializing in Middle Eastern coverage.
The intention behind this infiltration is to seek sensitive information by masquerading as scholars with the University of London’s School of Oriental and African Studies (SOAS).
The threat actors pose as British scholars to a group of highly selective victims. They attempt to lure them into clicking a registration link to an online conference. Obviously, the link is engineered to capture a variety of credentials from Google, Microsoft, Facebook, and Yahoo.
What makes this look legit is the fact that the credential phishing infrastructure is hosted on a genuine but compromised website belonging to the University of London’s SOAS Radio. The bad actors use personalized credentials via registration links on disguised pages and deliver them to unsuspecting recipients.
Researchers at Proofpoint said, “TA453 strengthened the credibility of the attempted credential harvest by utilizing personas masquerading as legitimate affiliates of SOAS to deliver the malicious links.”
Some of the scholars who were impersonated include Dr. Hanns Bjoern Kendel, an associate professor of diplomatic studies and international relations, and Dr. Tolga Sinmazdemir, a senior lecturer in political methodology.
Apart from this TA453 also managed to ask the targets to sign in to register for a webinar while the group was online. Just goes to show the attackers were planning on immediately validating the captured credentials manually.
It was in January 2021 when the attacks started showing up before the group shifted their tactics in subsequent email phishing lures.
The researchers further added, “TA453 illegally obtained access to a website belonging to a world-class academic institution to leverage the compromised infrastructure to harvest the credentials of their intended targets. The use of legitimate, but compromised, infrastructure represents an increase in TA453’s sophistication and will almost certainly be reflected in future campaigns. TA453 continues to iterate, innovate, and collect in support of IRGC collection priorities.”