An Iranian -state aligned actor used spoofed identities of real academics at a UK university in phishing attacks in order to steal password details of experts in Middle Eastern affairs from universities, think tanks, journalists, and professors.
The campaign — called “Operation SpoofedScholars” were attributed by enterprise security firm Proofpoint to the advanced persistent threat tracked as TA453, also called as APT35 (FireEye), Charming Kitten (ClearSky), and Phosphorous (Microsoft).
The government cyber warfare group is suspected to carry out intelligence efforts on behalf of the Islamic Revolutionary Guard Corps (IRGC).
According to the security researchers, the identified targets included experts in Middle Eastern affairs from think tanks, senior professors from well-known academic institutions, and journalists specializing in Middle Eastern coverage.
This campaign shows a new escalation and sophistication in TA453’s methods.
The attack chain involved the threat actor posing as British scholars to a group of highly selective victims in an attempt to trick the target into clicking on a registration link to an online conference that’s engineered to capture a variety of credentials from Google, Microsoft, Facebook, and Yahoo.
The credential phishing infrastructure was hosted on a genuine but compromised website belonging to the University of London’s School of Oriental and African Studies (SOAS), using which personalized credential harvesting pages disguised as registration links were then delivered to unsuspecting recipients.
In one instance, TA453 have sent a credential harvesting email to a target to their personal email account.
TA453 also insisted that the targets sign in to register for the webinar when the group was online, raising the possibility that the attackers were “planning on immediately validating the captured credentials manually.”
The attacks are believed to have occurred in January 2021, before the group shifted their tactics in subsequent email phishing lures.