Iranian State-Sponsored Hacking Attempts

Interesting attack:

Masquerading as UK scholars with the University of London’s School of Oriental and African Studies (SOAS), the threat actor TA453 has been covertly approaching individuals since at least January 2021 to solicit sensitive information. The threat actor, an APT who we assess with high confidence supports Islamic Revolutionary Guard Corps (IRGC) intelligence collection efforts, established backstopping for their credential phishing infrastructure by compromising a legitimate site of a highly regarded academic institution to deliver personalized credential harvesting pages disguised as registration links. Identified targets included experts in Middle Eastern affairs from think tanks, senior professors from well-known academic institutions, and journalists specializing in Middle Eastern coverage.

These connection attempts were detailed and extensive, often including lengthy conversations prior to presenting the next stage in the attack chain. Once the conversation was established, TA453 delivered a “registration link” to a legitimate but compromised website belonging to the University of London’s SOAS radio. The compromised site was configured to capture a variety of credentials. Of note, TA453 also targeted the personal email accounts of at least one of their targets. In subsequent phishing emails, TA453 shifted their tactics and began delivering the registration link earlier in their engagement with the target without requiring extensive conversation. This operation, dubbed SpoofedScholars, represents one of the more sophisticated TA453 campaigns identified by Proofpoint.

The report details the tactics.

News article.

Tags: , , ,

Posted on July 13, 2021 at 9:04 AM17 Comments

Comments

echo July 13, 2021 10:57 AM

It’s interesting that actors with bad intentions target academia or use the guise of academia to launder their agendas. This is problem the UN and universities have had to manage for some time. While it is not obvious to most people who rarely interact with these spheres of interest I know in the sphere of human rights there are dodgy types using academic credentials or the plausable appearance of academic legitimacy alongside their role in or relationship with organised lobby groups with slick and well funded camapigning and marketing. By this I mean the far right or agendas which align with the far right. These people are a right pain to deal with.

While I have expertise in some covered areas I know my limits but I know enough to spot at least soe who appear suspect. If domestic or allied countries have far right elements up to tricks it shouldn’t come as a surprise that others are pulling similar tricks too!

I generally rely on academic papers which are by and large fairly solid. There are other works peddled as academic floating about including now discredited academic papers which keep making an appearance again and again because the same people with persistent agendas keep recycling them for a new audience.

The threat actor, an APT who we assess with high confidence supports Islamic Revolutionary Guard Corps (IRGC) intelligence collection efforts, established backstopping for their credential phishing infrastructure by compromising a legitimate site of a highly regarded academic institution to deliver personalized credential harvesting pages disguised as registration links.

It’s not just dusky foreigners with swarthy appearances and bad taste who are motivated to contaminate the academic pond.

Academics, journalists, and think tank personnel should practice caution and verify the identity of the individuals offering them unique opportunities.

For years I preferred to believe that people ultimately judge things on their merits. I have learned the hard way not everyone does. There’s been a few times when someone I ideologially disagree with or positively loath said something I believe to be true and acknowledged this. Sadly it is not always returned. Without closing doors nor being partial there is an element with some things that it is not what is said but who says it and with some people you need to take a very long and slow look at something. I asolutely hate the “not what is said but who says it” phenomena but it issues which can be politically charged or where there are mixed motives who is saying it (and when and not just what they say but what they leave out) is a filter I found I have to apply.

These connection attempts were detailed and extensive, often including lengthy conversations prior to presenting the next stage in the attack chain. Once the conversation was established, TA453 delivered a “registration link” to a legitimate but compromised website belonging to the University of London’s SOAS radio.

Backtracking a little I’m guessing this was a social engineering attack to bypass individuals filtering mechanisms?

TA453 demonstrates passable English skills and is open to voice communication via videoconferencing.
TA453 demonstrates an interest in mobile phone numbers, possibly for mobile malware or additional phishing.
TA453 repeatedly demonstrated a desire to connect with the target in real-time.

I sometimes use meetings to assess or filter people or gather insights for legitimate (and legal!) purposes whether it’s an in-person meeting or online. There are things you can pick up which you won’t find in an email nor even a verbatim transcript and with some topics an attitude or pause can convey an extra layer of meaning. I don’t whant to know just what someone believes or can parrot I want to get a sense of their reaction or in the case of legally difficult or potentially unlawful situations what they may be hiding. The theory being the more senses you are using and the avenues of data you can collect the easier it is to detect things like overconfidence or inconsistences. Video conferencing can also be sueful for bringing other people in for a real time advocacy or advisory or safeguarding role where it would otherwise be too difficult or expensive to have them present in physical space.

I’m also picky about which software I use for ease of use and security reasons and extremely picky about who has my phone number. I really really really hate people calling without a pre-booked appointment. I also like to narrow the number of avenues by which I might be compromised by malware.

TA453 strengthened the credibility of the attempted credential harvest by utilizing personas masquerading as legitimate affiliates of SOAS to deliver the malicious links. The displayed webpage (Figure 2) offers users the ability to use “OpenID” to log in with the following mail providers; Google, Yahoo, Microsoft, iCloud, Outlook, AOL, mail.ru, Email, and Facebook. The website URI was hxxps://soasradio[.]org/connect/?memberemailid= [RedactedInitials of Target]-[String of alphanumeric characters].

As a general rule I avoid interaction websites which require a “sign in using” facility. In almost all cases I have no interest in even having an account with them.

TA453 illegally obtained access to a website belonging to a world class academic institution to leverage the compromised infrastructure to harvest the credentials of their intended targets. The use of legitimate, but compromised, infrastructure represents an increase in TA453’s sophistication and will almost certainly be reflected in future campaigns. TA453 continues to iterate, innovate, and collect in support of IRGC collection priorities. While some of the identified selectors no longer appear to be active in TA453 operations, Proofpoint assesses with high confidence that TA453 will continue to spoof scholars around the world in support of TA453’s intelligence collection operations in support of Iranian government interests. Academics, journalists, and think tank personnel should practice caution and verify the identity of the individuals offering them unique opportunities.

Iran is not on my list of preferred destinations. The number of Iranians with a job title I would be happy having a conversation with is not very large. I’m not saying we couldn’t discuss anything but the authoritarian and theocratic context would be problematic. As for anything which interests me and whether it overlaps with Iranian interests I have no idea. It could do but I’d be wondering “What is the catch?” (and there would be one) every step of the way.

I’m not a great believer in “My enemy’s enemy is my friend” either. I think that one leads to a world of trouble.

Higgs Boson July 13, 2021 4:31 PM

Really, REALLY sick of “Assess with high confidence”. Weasel words.

“We have no proof, and can’t be bothered to lay out our evidence for it (assuming we have any), but this is what we want you to believe, and stop asking questions!”

Etienne July 13, 2021 6:06 PM

When the Knights Templar were no longer useful, they were hunted down and killed.

You don’t see American presidents sending Billions of Treasury dollars to them on military aircraft and marching bands.

IRAN July 13, 2021 8:18 PM

IRAN regime does NOT need hacking. There are a lot of Iranians as students or working in all around the world (even North Korea).
These people have to go to IRAN for visiting their own families.

IRGC always ask these people to cooperate for spying,
AND
if they refuse to say YES, they will be in big trouble.

Not only for themselves but also for their families in IRAN.

ADFGVX July 13, 2021 8:40 PM

@ Etienne • July 13, 2021 6:06 PM

When the Knights Templar were no longer useful, they were hunted down and killed.

You’re right. Because the Knights Templar were Iranians (or Persians), weren’t they? Not even of the same religion as the Catholics who hired them and ordained them to that secret order. They were Muslims, only believing in Jesus insofar as to admit Him as the 4th of 5 prophets, but not as the Son of God. Nor did they believe in the Resurrection.

David Rudling July 14, 2021 2:54 AM

@moderator
Re: the above post from Rony Roy.
Need i do more than draw it to your attention?

vas pup July 14, 2021 4:38 PM

Voice cloning of growing interest to actors and cybercriminals

https://www.bbc.com/news/business-57761873

“Voice cloning is when a computer program is used to generate a synthetic, adaptable copy of a person’s voice.

From a recording of someone talking, the software is able to then replicate his or her voice speaking any words or sentences that you type into a keyboard.

Such have been the recent advances in the technology that the computer generated audio is now said to be unnervingly exact. The software can pick up not just your accent – but your timbre, pitch, pace, flow of speaking and your breathing.

!!!!And the cloned voice can be tweaked to portray any required emotion – such as anger, fear, happiness, love or boredom.

Yet while the increasing sophistication of voice cloning has obvious commercial potential, it has also led to growing concerns that it could be used in cyber crime – to trick people that someone else is talking.

Together with computer-generated fake videos, voice cloning is also called “deepfake”. And cyber security expert Eddy Bobritsky says there is a “huge security risk” that comes with the synthetic voices.

“When it comes to email or text messages it’s been known for years that it’s quite easy to impersonate others,” says the boss of Israeli firm Minerva Labs.

“But until now, talking on the phone with someone you trust and know well was one of the most common ways to ensure you are indeed familiar with the person.”

Mr Bobritsky says that is now changing. “For example, if a boss phones an employee asking for sensitive information, and the employee recognizes the voice, the immediate response is to do as asked. It’s a path for a lot of cybercrimes.”

Meanwhile, governments and law enforcement agencies are also looking at the issue. Last year, Europol, the European Union’s law enforcement agency, urged member states to make “significant investments” in technologies that can detect deepfakes. ==>And in the US, California has banned their use in political campaigns.

Read the whole article if interested in more details.

ADFGVX July 15, 2021 12:56 AM

@ echo

It’s not just dusky foreigners with swarthy appearances and bad taste who are motivated to contaminate the academic pond.

Lily-white ivory tower academia, much? Let’s not forget that all arose from ancient Roman civilization and classical Arabic scholarship while the white man yet hunted and gathered and lived in caves.

So. Boltzmann’s constant divided by reduced Planck’s constant will yield some fundamental angular frequency per unit of absolute temperature.

k / h/ =~
3.31624983 • 10^9
s^-1 • K^-1

There is a finite “Planck temperature” which is an absolute upper limit of temperature at which matter can no longer exist.

There is also a “Planck frequency” above which electromagnetic radiation can no longer exist in any coherent quantized or wavelike form.

I’m trying to put these fundamental physical constants together and make sense of them somehow.

echo July 15, 2021 1:51 AM

@vas pup

Voice cloning of growing interest to actors and cybercriminals

Real-time voice and appearance cloning has been a potential issue for some time. It’s not just for impersonation reasons but also persuadability.

Even where there isn’t a technological intermediation this kind of issue has been a problem in the past. Harold Shipman is one example. The police handpicking their best “fireside chat” detective who pulled a fast one over Doreen Lawreence on Newsnight is another. Mary Archer giving an unchallenged defence in favour of Jeffry Archer is also notable.

As for Iran I read someone claiming Iran is into online and remote tricks very simply because they don’t have the money or expertise to run a top tier intelligence service. I think another barrier is the Iranian regime is so high profile and comic book you can see them coming.

In the UK in some quarters lying has become an institutionalised high art as per Paxman’s retort also on Newsnight “Why is this lying ******* lying to me” that the idea you may be encountering a polished and tailored liar for the ordinary citizen makes “collect it all” and an evidential “time machine” part of the cost of living.

A number of high profile politicians in the past have kept personal diaries. Some view this as material for their memoirs. Others keep a commentary so that if a scandal comes along at some underdetermined time in the future they have a contemporaneous record to fall back on. As for whether this is accurate or simply what they chose to remember is another topic as some might think of the former minister Ken Clarke’s recollections of his time in office when challenged on what he knew or didn’t know.

Being a little technologically challenged and cash strapped the current UK regime (I won’t call it a government) are putting on an act but they are riddled with so many lies and so awkward the phrase “politics is Hollywood for ugly people” no longer seems to apply. What they forgot about being “genuine fakes” is you have to appear genuine and the fakery is ironic in the pursuit of a higher purpose. Brexit was and is a lie hence their rush to push it through by hook or by crook.

So do we have anything to fear from cash-strapped intelligence agencies and criminals using real-time voice and appearance personation. Yes and no. If the exchange is limited and short and time sensitive perhaps. For anything longer or more detailed requiring unpublished background information probably not. If it’s that important turn up in person, and that is where it all unravels.

vas pup July 15, 2021 4:53 PM

@echo • July 15, 2021 1:51 AM
Like any technology it could be used for good and for evil. Technology is neutral, but application is not.

Yeah, caller id spoofing plus voice cloning create new opportunity for phone scammers.

JonKnowsNothing July 15, 2021 6:51 PM

@vas pup

re: caller id spoofing plus voice cloning create new opportunity for phone scammers.

In the USA, a while back the telecom providers of lower repute had a method of “cramming” bills. It is not as common now but it was quite rampant at the time. There are several aspects to how this was done but the relevant version went as follows

iirc(badly)

  1. A rule change required consumers to update their account information.
  2. Consumers had to contact their phone provider to verify the info.
  3. Due to the rule change a round-robin assignment may have sent your account to another provider.
  4. All sorts of providers were listed as valid providers
  5. The contacted provider could not tell you who or which provider you should sign up with, the consumer had to Opt-In without knowing the listings or pricing.
  6. The MoreClever providers selected a set of dba names (doing business as) such as “I don’t know”, “Which one is good?”, “No thanks”, “Hello?”, “What?”, “Which one is cheap”.
  7. Once a consumer spoke the key words the account was immediately transferred over.

Of course, once your account was transferred to the less reputable vendor, you would not know until you get the mega-$$ bill because they routed your neighbor-to-neighbor call thru Siberia. Getting the account back and the charges removed or waived was not easy. Lots of folks paid dearly for “I don’t know”.

JG4 July 15, 2021 10:08 PM

The problem of voice spoofing is not new, but it used to require special talent. Now it is widely available, as expected. Worse, the facts that might be used to distinguish a real person from a spoofed person have been swept up using the vast power of the state and their corporate partners.

JG4 • May 4, 2017 4:23 PM
https://www.schneier.com/blog/archives/2017/05/forging_voice.html/#comment-299546
https://www.schneier.com/blog/archives/2017/04/friday_squid_bl_575.html#c6751481

This is fascinating:
http://www.schneier.com/blog/archives/2009/09/matthew_weigman.html

It turns out that in most people who are born blind, the visual cortex is devoted to processing sound. They cannot hear any better than anyone else (which is set by the physical limits of the ear), but they can extract vastly more from what they do hear, like where the walls are in a room. And in the case of Mr. Weigman, the pattern to exactly replicate anyone’s voice. We should be surprised if a machine cannot do better at some point soon.

echo July 16, 2021 5:17 AM

@vas pup

Like any technology it could be used for good and for evil. Technology is neutral, but application is not.

Yeah, caller id spoofing plus voice cloning create new opportunity for phone scammers.

I’m sure.

@JG4

The problem of voice spoofing is not new, but it used to require special talent. Now it is widely available, as expected. Worse, the facts that might be used to distinguish a real person from a spoofed person have been swept up using the vast power of the state and their corporate partners.

This too.

<

blockquote>It turns out that in most people who are born blind, the visual cortex is devoted to processing sound. They cannot hear any better than anyone else (which is set by the physical limits of the ear), but they can extract vastly more from what they do hear, like where the walls are in a room. And in the case of Mr. Weigman, the pattern to exactly replicate anyone’s voice. We should be surprised if a machine cannot do better at some point soon.

It is by and large unlawful in any jurisdiction to have artificial assistance in a casino. There is also “habeous corpus”.

We have fairly convincing CGI in movies today and can peer beyond the Milky Way and into the heart of the galaxy but overall this is simply a refinement of knowing more and more about less and less.

Far right astroturfers and media can be a pain to deal with but don’t have everything their own way. Neither do other forms of con artist.

SpaceLifeForm July 19, 2021 8:03 PM

@ EvilKiru

Plain text is even easier to fake than voice…

Yes. Until you sign with your crypto signature.

Leave a comment

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.