A sophisticated social engineering attack undertaken by an Iranian-state aligned actor targeted think tanks, journalists, and professors with an aim to solicit sensitive information by masquerading as scholars with the University of London’s School of Oriental and African Studies (SOAS).
Enterprise security firm Proofpoint attributed the campaign — called “Operation SpoofedScholars” — to the advanced persistent threat tracked as TA453, which is also known by the aliases APT35 (FireEye), Charming Kitten (ClearSky), and Phosphorous (Microsoft). The government cyber warfare group is suspected to be tied to the Islamic Revolutionary Guard Corps (IRGC).
“Identified targets included experts in Middle Eastern affairs from think tanks, senior professors from well-known academic institutions, and journalists specializing in Middle Eastern coverage,” the researchers said in a technical write-up shared with The Hacker News. “The campaign shows a new escalation and sophistication in TA453’s methods.”
On a high level, the attack chain involved the threat actor posing as British scholars to a group of highly selective victims in an attempt to entice the target into clicking on a registration link to an online conference that’s engineered to capture a variety of credentials from Google, Microsoft, Facebook, and Yahoo.
To lend it an air of legitimacy, the credential phishing infrastructure was hosted on a genuine but compromised website belonging to the University of London’s SOAS radio, using which personalized credential harvesting pages disguised as registration links were then delivered to unsuspecting recipients.
At least in one instance, TA453 is said to have sent a credential harvesting email to a target to their personal email account. “TA453 strengthened the credibility of the attempted credential harvest by utilizing personas masquerading as legitimate affiliates of SOAS to deliver the malicious links,” the researchers said.
Some of the SOAS scholars who were impersonated included Dr. Hanns Bjoern Kendel, an associate professor of diplomatic studies and international relations, and Dr. Tolga Sinmazdemir, a senior lecturer in political methodology.
Interestingly, TA453 also insisted that the targets sign in to register for the webinar when the group was online, raising the possibility that the attackers were “planning on immediately validating the captured credentials manually.” The attacks are believed to have commenced at least since January 2021, before subtly shifting their tactics in subsequent phishing lures.
This is not the first time the threat actor has launched credential phishing attacks. Earlier this March, Proofpoint detailed a “BadBlood” campaign targeting senior medical professionals who specialized in genetic, neurology, and oncology research in Israel and the U.S.
“TA453 illegally obtained access to a website belonging to a world class academic institution to leverage the compromised infrastructure to harvest the credentials of their intended targets,” the researchers said. “The use of legitimate, but compromised, infrastructure represents an increase in TA453’s sophistication and will almost certainly be reflected in future campaigns. TA453 continues to iterate, innovate, and collect in support of IRGC collection priorities.”