While Proofpoint has been unable to independently confirm that the hackers, known as TA453 or CHARMING KITTEN and PHOSPHORUS, are part of the IRGC, the hackers have historically aligned with the priorities of Iran's Islamic Revolutionary Guard Corps (IRGC), with attacks targeting dissidents, academics, diplomats and journalists, according to the report.
In their latest attack, TA453 compromised a site belonging to SOAS in order to deliver pages disguised as registration links to harvest login information from targets, including experts in Middle Eastern affairs from think tanks, senior professors at academic institutions and journalists specializing in Middle Eastern coverage.
The attempts to connect with targets included lengthy conversations before the fake registration links were delivered in order to capture the credentials of targets. TA453 also targeted the personal email accounts of at least one of the targets in the attack.
Proofpoint stated that the hacking campaign, which it called SpoofedScholars, is one of the more sophisticated campaigns by TA453 it has identified.
The hacker group used the personas of individuals associated with SOAS, in order to solicit conversations with targets.
In initial emails sent by the first persona, TA453 invited the target to a fake online conference on “The US Security Challenges in the Middle East.” Emails by the second persona solicited contributions to a "DIPS Conference."
In one attempt by the first persona, the hackers tried to connect with the target via phone to discuss the invitation, but the target requested a written proposal with details so the hackers provided specific details. After a bit of back and forth, TA453 provided a detailed invitation and eventually attempted to get the target to connect via videoconferencing.
The hackers provided targets with personalized links to a legitimate but compromised website belonging to SOAS which had targets long in with email providers.
Proofpoint warned that emails from hanse.kendel4[@]gmail.com, hannse.kendel4[@]gmail.com, and t.sinmazdemir32[@]gmail.com should be considered suspect and investigated and that network traffic to soasradi.org should be investigated as well.
Proofpoint pointed out that TA453 demonstrated passable English skills and seemed to desire to connect with the target in real-time, even requesting voice communication via videoconferencing. The hacker group also expressed interest in mobile phone numbers, which Proofpoint said could be for mobile malware or additional phishing.
"The use of legitimate, but compromised, infrastructure represents an increase in TA453’s sophistication and will almost certainly be reflected in future campaigns. TA453 continues to iterate, innovate, and collect in support of IRGC collection priorities," said Proofpoint in the report. "Academics, journalists, and think tank personnel should practice caution and verify the identity of the individuals offering them unique opportunities."
The targeted categories of people have information of interest to the Iranian government, including foreign policy information, insights into Iranian dissidents and understandings of US nuclear negotiations, among other interests. Most of the targets identified in this campaign have been targeted by TA453 in the past. Less than ten organizations were targeted in the campaign.
SOAS said that no personal information was unobtained and that its own data systems were unaffected as the compromised website is separate from the official SOAS website.
"Once we became aware of the dummy site earlier this year, we immediately remedied and reported the breach in the normal way. We have reviewed how this took place and taken steps to further improve protection of these sort of peripheral systems," the university said in a statement.
One of the academics impersonated told Motherboard by Vice that while the experience was stressful, he had conversations with "a lot of interesting people that [he] would probably not have had interaction with otherwise."
"I think it was smart of them to pick me. The UK does not recognize identity theft as a crime in itself," he added to Motherboard. "Working in the field of diplomacy and at a renowned institution, yet not senior enough to be implausible for first contact. A mixture of slightly clumsy but also highly sophisticated."
In April, Proofpoint announced that TA453 targeted senior medical professionals specializing in genetic, neurology and oncology research in the US and Israel late last year. In that campaign, dubbed BadBlood, the hackers used a Gmail account which was presented as belonging to prominent Israeli physicist and former president of the Weizmann Institute of Science, Daniel Zajfman.
TA453 was also reportedly responsible for unsuccessfully targeting former US president Donald Trump's reelection campaign in 2019, according to Reuters. The hacking attempt targeted hundreds of accounts in Microsoft's cloud email service; four accounts that were not associated with an election campaign were compromised.
Microsoft's Digital Crimes Unit and the Microsoft Threat Intelligence Center have tracked TA453 since 2013, the company announced in 2019, adding that the group typically targeted businesses, government agencies, activists and journalists with attempts to entice targets to click on malicious links or enter credentials in fraudulent web forms pretending to belong to well-known online services.