According to the cybersecurity company Proofpoint, Iranian hackers pretended to be scholars from the London School of Oriental and African Studies to conduct online espionage against Middle Eastern experts.
The hacking was carried out by an organization called Charming Kitten, also known as “Phosphorus” and APT35. Regional experts generally believe that this organization is carrying out intelligence work on behalf of Iran’s elite Revolutionary Guards.
Iran — along with Russia, China and North Korea — is one of the most powerful cyber attackers facing Britain and its allies. Lindy Cameron, the chief executive of the National Cyber Security Center, a branch of the signals intelligence agency GCHQ, warned last month that Iran is using digital technology to “damage and steal” a series of British organizations.
NCSC has previously emphasized Iran’s special interest in online espionage For British scholars, Including an event in 2018 that collected personal details from university staff by creating a fake web page linking to an academic library.
The latest operation determined by Proofpoint involves hackers sending spoofed emails purporting to be from real Soas scholars, inviting recipients to participate in meetings and events. After the rapport was established, the recipients of Middle Eastern affairs experts from think tanks, academia, and the press were directed to a virtual page inserted by hackers into the Soas Radio website, an independent online broadcaster based in a university.
On this page, spy targets are invited to “register” for activities by providing personal details (including passwords), which are captured by hackers and used to access other websites, such as personal email accounts. Targets are also encouraged to share their mobile phone numbers, which Proofpoint said may be to insert malware into the device.
The cybersecurity company announced the details of the event on Tuesday and learned that about 10 people were targeted, most of them in the United States and the United Kingdom. The campaign started as early as January, and a few months later, hackers started sending emails purporting to be from the second Soas scholar. These people have not been accused of any wrongdoing.
Sherrod DeGrippo, senior director of threat research at Proofpoint, said the event proved that after the peak of the Covid-19 blockade last year, some hacking organizations reduced their activities and state-sponsored hackers “really returned to their seats.” .
“Iran has been very concerned about [targeting] Scholars, scientists, professors, and diplomats,” De Gribo added. “This just shows that they are continuing to pay attention to this, most likely because it has paid off. “
In its report, Proofpoint stated that hackers have been seeking information about foreign policy, including insights into the Iranian dissident movement, and understanding of the negotiations between Tehran and the United States on nuclear issues.
Soas emphasized that the target of the hacker attack was not the university’s own employees, but other academics, and said that there is no sign that its employees violated the network security protocol.
It stated that it had not accessed personal information or data from the Soas system during the campaign.
“Once we became aware of this virtual site earlier this year, we immediately remedied and reported the violation in the normal way,” it said, adding that the university “has taken steps to further strengthen protection [its] Peripheral system”.
NCSC, which advises on cyber defense in the UK, said it is “aware” of this activity and is working “closely” with academia to help improve cyber resilience.
“Universities process valuable data, which can make them profitable targets for malicious cyber actors (including hostile countries and cybercriminals),” it said.