An Iranian group masqueraded as a British-based academic during a cyber espionage campaign.
The group also compromised the website belonging to the School of Oriental and African Studies (SOAS), University of London, to try to steal information.
The operation, which did not affected SOAS data systems, was uncovered by cyber security company Proofpoint. They called it "SpoofedScholars" and said it showed an increase in threat sophistication.
The attackers, sometimes referred to as "Charming Kitten" and believed to be linked to the Iranian state, were also willing to engage in real-time conversations with their targets, who were mainly in the US and UK.
In early 2021, emails claiming to come from a "senior teaching and research fellow" at SOAS invited people to join an online conference called The US Security Challenges in the Middle East.
The emails, sent from a Gmail address, were not from the academic but an espionage group believed to be linked to the Iranian Islamic Revolutionary Guard Corps (IRGC).
Once a conversation was established, the target was sent a "registration link" hosted by a website that was compromised by the attackers.
It belonged to SOAS radio, an independent online radio station and production company based at SOAS.
This link then offered a means to log on using email providers Google, Yahoo, Microsoft, iCloud, Outlook, AOL, mail.ru, Email, and Facebook, which could then capture the passwords and usernames.
Stealing credentials is not new, but the use of a real website to do so is.
"It is highly unusual and more sophisticated for this group," said Sherrod DeGrippo, senior director, threat research and detection for Proofpoint.
The communications between the fake academic and the target could be lengthy to build trust before sending the registration link. In some cases, the sender asked to connect by phone with the recipients to discuss the invitation.
In one instance, the recipient asked for and received more detail by email, with the attackers then suggesting they connect by videoconference.
That cyber spies were trying to connect in real time with individuals by phones and videoconferencing to talk rather than just engaging by email was also unusual, suggesting confidence in their skills in English and in impersonation.
It was not clear if conversations took place.
The operation was highly focused, involving fewer than 10 target organisations, Proofpoint said. In some cases, there were multiple individuals inside those organisations.
They were primarily from three groups:
- Senior think tank personnel working on the Middle East
- Journalists focused on the region
- Academics, including senior professors
It is thought likely that they were selected because they might have information on foreign policy of countries towards Iran, negotiations about Iran's nuclear programme, or information about Iranian dissidents.
This fits with earlier activity by the same espionage group, which Proofpoint called TA453.
"TA453's continued interest in these targets demonstrates an Iranian commitment to user cyber operations to collect intelligence in support of intelligence priorities," Ms DeGrippo said.
A few months after the initial campaign began in January, another SOAS academic's identity was used by the group to try to recruit for a webinar.
The group also seemed interested in mobile phone numbers, possibly to use to deliver malicious software or to use to against others.
SOAS said no personal information was obtained and its data systems were not affected.
It said the compromised radio website was separate from the official SOAS website and not part of any of its academic domains.
"Once we became aware of the dummy site earlier this year, we immediately remedied and reported the breach in the normal way. We have reviewed how this took place and taken steps to further improve protection of these sort of peripheral systems," the university said.
Proofpoint said it cannot be completely sure the IRGC was behind the campaign but the tactics, techniques and the targeting give it "high confidence" that it was responsible.
The company said it has worked with the authorities on victim notification but that TA453 was likely to continue to try to pass itself off as academics.
Proofpoint recommended that academics, journalists, and think tank scholars should verify the identity of anyone offering them opportunities, especially if approached online.
