Iranian State-Sponsored Hacking Attempts
Interesting attack:
Masquerading as UK scholars with the University of London’s School of Oriental and African Studies (SOAS), the threat actor TA453 has been covertly approaching individuals since at least January 2021 to solicit sensitive information. The threat actor, an APT who we assess with high confidence supports Islamic Revolutionary Guard Corps (IRGC) intelligence collection efforts, established backstopping for their credential phishing infrastructure by compromising a legitimate site of a highly regarded academic institution to deliver personalized credential harvesting pages disguised as registration links. Identified targets included experts in Middle Eastern affairs from think tanks, senior professors from well-known academic institutions, and journalists specializing in Middle Eastern coverage.
These connection attempts were detailed and extensive, often including lengthy conversations prior to presenting the next stage in the attack chain. Once the conversation was established, TA453 delivered a “registration link” to a legitimate but compromised website belonging to the University of London’s SOAS radio. The compromised site was configured to capture a variety of credentials. Of note, TA453 also targeted the personal email accounts of at least one of their targets. In subsequent phishing emails, TA453 shifted their tactics and began delivering the registration link earlier in their engagement with the target without requiring extensive conversation. This operation, dubbed SpoofedScholars, represents one of the more sophisticated TA453 campaigns identified by Proofpoint.
The report details the tactics.
News article.
echo • July 13, 2021 10:57 AM
It’s interesting that actors with bad intentions target academia or use the guise of academia to launder their agendas. This is problem the UN and universities have had to manage for some time. While it is not obvious to most people who rarely interact with these spheres of interest I know in the sphere of human rights there are dodgy types using academic credentials or the plausable appearance of academic legitimacy alongside their role in or relationship with organised lobby groups with slick and well funded camapigning and marketing. By this I mean the far right or agendas which align with the far right. These people are a right pain to deal with.
While I have expertise in some covered areas I know my limits but I know enough to spot at least soe who appear suspect. If domestic or allied countries have far right elements up to tricks it shouldn’t come as a surprise that others are pulling similar tricks too!
I generally rely on academic papers which are by and large fairly solid. There are other works peddled as academic floating about including now discredited academic papers which keep making an appearance again and again because the same people with persistent agendas keep recycling them for a new audience.
It’s not just dusky foreigners with swarthy appearances and bad taste who are motivated to contaminate the academic pond.
For years I preferred to believe that people ultimately judge things on their merits. I have learned the hard way not everyone does. There’s been a few times when someone I ideologially disagree with or positively loath said something I believe to be true and acknowledged this. Sadly it is not always returned. Without closing doors nor being partial there is an element with some things that it is not what is said but who says it and with some people you need to take a very long and slow look at something. I asolutely hate the “not what is said but who says it” phenomena but it issues which can be politically charged or where there are mixed motives who is saying it (and when and not just what they say but what they leave out) is a filter I found I have to apply.
Backtracking a little I’m guessing this was a social engineering attack to bypass individuals filtering mechanisms?
I sometimes use meetings to assess or filter people or gather insights for legitimate (and legal!) purposes whether it’s an in-person meeting or online. There are things you can pick up which you won’t find in an email nor even a verbatim transcript and with some topics an attitude or pause can convey an extra layer of meaning. I don’t whant to know just what someone believes or can parrot I want to get a sense of their reaction or in the case of legally difficult or potentially unlawful situations what they may be hiding. The theory being the more senses you are using and the avenues of data you can collect the easier it is to detect things like overconfidence or inconsistences. Video conferencing can also be sueful for bringing other people in for a real time advocacy or advisory or safeguarding role where it would otherwise be too difficult or expensive to have them present in physical space.
I’m also picky about which software I use for ease of use and security reasons and extremely picky about who has my phone number. I really really really hate people calling without a pre-booked appointment. I also like to narrow the number of avenues by which I might be compromised by malware.
As a general rule I avoid interaction websites which require a “sign in using” facility. In almost all cases I have no interest in even having an account with them.
Iran is not on my list of preferred destinations. The number of Iranians with a job title I would be happy having a conversation with is not very large. I’m not saying we couldn’t discuss anything but the authoritarian and theocratic context would be problematic. As for anything which interests me and whether it overlaps with Iranian interests I have no idea. It could do but I’d be wondering “What is the catch?” (and there would be one) every step of the way.
I’m not a great believer in “My enemy’s enemy is my friend” either. I think that one leads to a world of trouble.