An Iranian group which pretended to be a British-based academic in order to target individuals in a cyber-espionage campaign has been discovered.
The group also compromised a real website belonging to the School of Oriental and African Studies (SOAS), University of London, to try to steal information.
The operation was uncovered by cyber-security company Proofpoint.
They call it "SpoofedScholars" and say it shows an increase in sophistication.
The attackers, sometimes called "Charming Kitten" and believed to be linked to the Iranian state, were also willing to engage in real-time conversations with their targets, who were mainly in the US and UK.
In early 2021, emails claiming to come from a "senior teaching and research fellow" at SOAS university in London invited people to an online conference called The US Security Challenges in the Middle East.
The emails, sent from a Gmail address, had not been sent by the real academic but by a cyber-espionage group believed to be linked to the Iranian Revolutionary Guards.
Once a conversation was established, the target was sent a "registration link" hosted by a real website which had already been compromised by the attackers.
It belonged to SOAS radio, an independent online radio station and production company based at SOAS.
This then offered a means to log on using email providers Google, Yahoo, Microsoft, iCloud, Outlook, AOL, mail.ru, Email, and Facebook which could then capture the passwords and user-names. Stealing such credentials is not new but the use of a real website marked a change.
"(It) is highly unusual and more sophisticated for this group," Sherrod DeGrippo, senior director, threat research and detection for Proofpoint told the BBC.
The communications between the fake academic and the target could be lengthy in order to build trust before sending the registration link and the sender asked in some cases to connect by phone with the recipients to discuss the invitation.
In one instance, the recipient asked for and received more detail by email with the attackers then suggesting they connect via videoconference.
The fact the cyber-spies were trying to connect in real-time with individuals over phones and video-conferences for conversations rather than just engaging over email is also unusual, suggesting confidence in their skills in English and in impersonation (although it is not clear if any conversations ended up taking place).
The operation was highly targeted with fewer than 10 organisations approached, according to Proofpoint, although in some cases there were multiple individuals inside those and most of them in the US and UK.
They were primarily from three groups:
- Senior think-tank personnel working on the Middle East
- Journalists focused on the region
- Academics, including senior professors
It is thought likely they were targeted because they might have information on foreign policy of countries towards Iran, negotiations over Iran's nuclear programme or information about Iranian dissidents.
This fits in with previous activity by the same cyber-espionage group, which Proofpoint calls TA453.
"TA453's continued interest in these targets demonstrates a continued Iranian commitment to user cyber-operations to collect intelligence in support of intelligence priorities," said Sherrod DeGrippo.
A few months after the initial campaign began in January, another SOAS academic's identity was used by the group to try to recruit for a webinar.
The group also seemed interested in mobile phone numbers possibly to use to deliver mobile malicious software or to use to target others.
SOAS says no personal information was obtained and its own data systems were not affected.
It says the compromised radio website was separate from the official SOAS website and not part of any of its academic domains.
"Once we became aware of the dummy site earlier this year, we immediately remedied and reported the breach in the normal way. We have reviewed how this took place and taken steps to further improve protection of these sort of peripheral systems," the university told the BBC in a statement.
Proofpoint says it cannot be totally sure the Iranian Revolutionary Guards Corp (IRGC) was behind the campaign but the tactics, techniques and the targeting give it "high confidence" that it was responsible.
The cyber-security company says it has worked with the authorities to conduct victim notification but that the group is likely to continue to try to masquerade as academics.
It recommends academics, journalists, and think-tank scholars should verify the identity of anyone offering them opportunities, especially if virtually.