A prominent hacker organization linked to Iran’s Islamic Revolutionary Guard Corps has undertaken a covert operation in the United Kingdom, targeting university academics and other professionals. according to research by cybersecurity firm Proofpoint, in an attempt to steal their sensitive information.
As per a new report issued on Tuesday by Proofpoint, the group known as TA453 and Charming Kitten have been impersonating British professors at the University of London’s School of Oriental and African Studies (SOAS) since at least January in order to approach its victims.
The Proofpoint researchers said they couldn’t confirm the hacker group’s affiliation with the IRGC, but they have “high confidence” that it aids the IRGC’s intelligence-gathering efforts. Following the Iranian Revolution, the IRGC was established as a counter-force to the Iranian military.
According to Proofpoint, the hackers previously attacked American and Israeli medical researchers, the Munich Security Conference, and a presidential campaign in the United States.
In an email to VOA, Sherrod DeGrippo, senior director for threat research and detection at Proofpoint, said, “TA453’s continued interest in these targets demonstrates a persistent Iranian commitment to using cyber operations to collect information in support of IRGC intelligence priorities,” “TA453’s targeting may demonstrate a desire to understand the informal policy discussions and positions that may occur outside of government but still influence decision-makers.”
The organization did not name the victims but stated that it had cooperated with authorities to inform them.
Credential harvesting is a type of hacking campaign in which cybercriminals interact with victims via email before sending them a malicious attachment or a link to a compromised website meant to steal passwords.
According to the researchers, the IRGC-linked cyber group infiltrated the website of SOAS Radio as part of the current operation, entitled SpoofedScholars, and then emailed the targets a conference “registration link” to the site. According to the investigation, the hijacked website was altered to capture a variety of credentials.
While it’s unclear whether the cybercriminals were able to obtain the targets’ credentials, DeGrippo claims that the organization has previously used stolen passwords to “exfiltrate inbox contents” and utilize the compromised accounts to carry out other phishing operations.
Proofpoint has been tracking TA453 since 2017, according to the company, which monitors a number of Iranian hacker organizations. Operation SpoofedScholars, according to Proofpoint experts, is one of the more complex TA453 efforts they’ve seen.
“Iran’s expertise and willingness to conduct aggressive cyber operations make it a significant threat to the security of U.S. and allied networks and data.” the U.S. intelligence community concluded in its most recent assessment in April.
“Iran has the ability to conduct attacks on critical infrastructure, as well as to conduct influence and espionage activities,” according to the assessment.
According to the Proofpoint investigation, Iranian hackers sent threatening emails to Democratic voters in October and revealed information about US election authorities in December to damage voter trust in the 2020 presidential election.