A sophisticated social engineering attack undertaken by an Iranian-state aligned actor targeted think tanks, journalists, and professors with an aim to solicit sensitive information by masquerading as scholars with the University of London's School of Oriental and African Studies (SOAS).
Enterprise security firm Proofpoint attributed the campaign — called "Operation SpoofedScholars" — to the advanced persistent threat tracked as TA453, which is also known by the aliases APT35 (FireEye), Charming Kitten (ClearSky), and Phosphorous (Microsoft). The government cyber warfare group is suspected to carry out intelligence efforts on behalf of the Islamic Revolutionary Guard Corps (IRGC).
"Identified targets included experts in Middle Eastern affairs from think tanks, senior professors from well-known academic institutions, and journalists specializing in Middle Eastern coverage," the researchers said in a technical write-up shared with The Hacker News. "The campaign shows a new escalation and sophistication in TA453's methods."
On a high level, the attack chain involved the threat actor posing as British scholars to a group of highly selective victims in an attempt to entice the target into clicking on a registration link to an online conference that's engineered to capture a variety of credentials from Google, Microsoft, Facebook, and Yahoo.
To lend it an air of legitimacy, the credential phishing infrastructure was hosted on a genuine but compromised website belonging to the University of London's SOAS Radio, using which personalized credential harvesting pages disguised as registration links were then delivered to unsuspecting recipients.
At least in one instance, TA453 is said to have sent a credential harvesting email to a target to their personal email account. "TA453 strengthened the credibility of the attempted credential harvest by utilizing personas masquerading as legitimate affiliates of SOAS to deliver the malicious links," the researchers said.
Interestingly, TA453 also insisted that the targets sign in to register for the webinar when the group was online, raising the possibility that the attackers were "planning on immediately validating the captured credentials manually." The attacks are believed to have commenced as far back as January January 2021, before the group subtly shifting their tactics in subsequent email phishing lures.
This is not the first time the threat actor has launched credential phishing attacks. Earlier this March, Proofpoint detailed a "BadBlood" campaign targeting senior medical professionals who specialized in genetic, neurology, and oncology research in Israel and the U.S.
"TA453 illegally obtained access to a website belonging to a world class academic institution to leverage the compromised infrastructure to harvest the credentials of their intended targets," the researchers said. "The use of legitimate, but compromised, infrastructure represents an increase in TA453's sophistication and will almost certainly be reflected in future campaigns. TA453 continues to iterate, innovate, and collect in support of IRGC collection priorities."
UPDATE — In a statement to The Hacker News via email, a spokesperson for the University of London's School of Oriental and African Studies (SOAS) said:
"We understand that hackers created Gmail accounts to pretend to be academics and created a dummy site to seek to collect data from people they were targeting. This dummy page was placed on the website of SOAS Radio, which is an independent online radio station and production company based at SOAS. The website is separate from the official SOAS website and is not part of any of our academic domains. We understand the target was not SOAS itself, but external individuals.
"To be clear, academic staff at SOAS of course have no involvement in this process, nor has any action or statement by SOAS staff led to them being spoofed in this way. There was no suggestion of breach of cybersecurity by any SOAS staff."
"In relation to the creation of the dummy site, no personal information was obtained from SOAS, and none of our data systems (e.g., staff and student records, financial information, emails, and core ac.uk website and so on) were involved or affected by this. Our cybersecurity systems for our core systems are robust and fit for purpose.
"Once we became aware of the dummy site earlier this year, we immediately remedied and reported the breach in the normal way. We have reviewed how this took place and taken steps to further improve protection of these sort of peripheral systems."