WASHINGTON – A notorious hacker group tied to the Iranian Revolutionary Guard Corps has covertly targeted university professors and other experts seeking sensitive information, according to research by cybersecurity firm Proofpoint.
The group, known as TA453, has been masquerading as British scholars at the University of London’s School of Oriental and African Studies (SOAS) since at least January to approach their victims, Proofpoint said in a new report released Tuesday.
The researchers said that while they could not independently confirm that the hacker group is part of the IRGC, they assess with “high confidence” that it supports IRGC’s intelligence collection efforts. IRGC is a US-designated foreign terrorist organization.
The targets of the latest campaign included think tank experts in Middle Eastern affairs, top professors from well-known academic institutions and journalists specializing in the Middle East. Most of the victims had been previously targeted by the same hacker group, Proofpoint found.
“These groupings consistently have information of interest to the Iranian government, including, but not limited to, information about foreign policy, insights into Iranian dissident movements and understanding of U.S. nuclear negotiations,” the researchers wrote. “Targeting appeared to be highly selective, with less than 10 organizations targeted.”
The company did not disclose the names of the targets but said it has worked with authorities to notify the victims.
In a hacking campaign of this kind, known as credential harvesting, cybercriminals first connect with victims via email before sending them a malicious attachment or a link to a compromised website designed to steal passwords.
As part of the latest operation, the IRGC-tied hacker group compromised the website of SOAS Radio and then sent the victims “registration links” to the site, according to the researchers. The compromised website was tweaked to capture a variety of credentials, the report said.
In one case, a hacker posing as a “senior teaching and research fellow” with SOAS sent “an initial email trying to entice the target with a prospective invitation to an online conference on “The U.S. Security Challenges in the Middle East.” After an exchange that confirmed the victim’s interest in the conference, the hacker sent the target a “detailed invitation” to the fake event, researchers said.
Proofpoint said the operation, dubbed SpoofedScholars, is one of the more sophisticated TA453 campaigns identified by their researchers.
The U.S. intelligence community said it is “most concerned” about the cyber capabilities of Russia, Iran, China and North Korea. In its latest assessment in April, the intelligence community said, “Iran’s expertise and willingness to conduct aggressive cyber operations make it a significant threat to the security of U.S. and allied networks and data.”
“Iran has the ability to conduct attacks on critical infrastructure, as well as to conduct influence and espionage activities,” the assessment said.
During the 2020 presidential campaign, Iranian hackers sent threatening emails to Democratic voters in October, and in December released information about U.S. election officials to undermine confidence in the election, according to the report.