Key takeaways
- A sophisticated social-engineering attack where attackers passed off as scholars from the prestigious London-based SOAS
- Led by the threat actor group called TA453
- Seemingly on behalf of Iran’s IRGC, a government-backed intelligence unit
- Highlights the significant extent state-actors will go to, using proxy groups as a front.
A sophisticated social engineering attack undertaken by an Iranian-state aligned actor targeted think tanks, journalists, and professors with an aim to solicit sensitive information by masquerading as scholars with the University of London’s School of Oriental and African Studies (SOAS).
Called “Operation SpoofedScholars“, the campaign was led by the advanced persistent threat tracked as TA453, which is also known by the aliases APT35 (FireEye), Charming Kitten (ClearSky), and Phosphorous (Microsoft).
The government cyber warfare group is suspected to carry out intelligence efforts on behalf of the Islamic Revolutionary Guard Corps (IRGC).
The attack seems to have targeted experts in Middle Eastern affairs from think tanks, senior professors from well-known academic institutions, and journalists specialising in Middle Eastern coverage. The campaign shows a new escalation and sophistication in TA453’s methods.
The attack chain involved the threat actor posing as British scholars to a group of select victims in an attempt to entice the target into clicking on a registration link to an online conference that was intended to capture a variety of credentials from Google, Microsoft, Facebook, and Yahoo.
To lend it an air of legitimacy, the credential phishing infrastructure was hosted on a genuine but compromised website belonging to the University of London’s SOAS Radio, through which credential harvesting pages (disguised as registration links) were delivered to unsuspecting recipients.
The threat group strengthened the credibility of the attempted credential harvest by utilising personas masquerading as legitimate affiliates of SOAS.
The attacks are believed to have commenced as far back as January January 2021, before the group subtly shifting their tactics in subsequent email phishing campaigns.
Earlier this year, the same group targeted senior medical professionals who specialised in genetic, neurology, and oncology research in Israel and the U.S.
In response, SOAS released a statement, saying:
We understand that hackers created Gmail accounts to pretend to be academics and created a dummy site to seek to collect data from people they were targeting. This dummy page was placed on the website of SOAS Radio, which is an independent online radio station and production company based at SOAS. The website is separate from the official SOAS website and is not part of any of our academic domains. We understand the target was not SOAS itself, but external individuals.
To be clear, academic staff at SOAS of course have no involvement in this process, nor has any action or statement by SOAS staff led to them being spoofed in this way. There was no suggestion of breach of cybersecurity by any SOAS staff.
SOAS statement
The incident highlights the extent state-actors will go to in order to use every “cyber trick” in the book to extract information for national interests, often using proxy groups as a front. This is far from a rare occurrence, and such social engineering campaigns highlight that almost no one is immune.
From corporations to universities and everyone in between, organisations big and small need to educate their constituents, staff and stakeholders of the basics of cyber security and social and cyber threats in order to ensure their information is safe. If even seasoned academics aren’t immune, then almost no one is.