London – A cybersecurity company has accused Iranian hackers of impersonating academics at London’s School of Oriental and African Studies (SOAS) to target Middle East experts.
Proofpoint said the intrusions were launched by the Charming Kitten group, which is also known as Phosphorus and APT35.
The outfit is believed to regularly conduct hacking attempts for the Islamic Revolutionary Guard Corps, Iran’s asymmetric warfare force.
The move comes amid heightened concern in Britain over cyberattacks from hostile states. Lindy Cameron, CEO of the National Cyber Security Centre (NCSC), recently warned that Tehran is seeking to use cyber strategies to “sabotage and steal” from UK institutions.
NCSC reports have detailed the specific risk from Iranian cyberespionage on UK universities. Its warnings were highlighted following Tehran’s efforts in 2018 to gather personal details from university staff by duping them with phony websites.
The NCSC said it is aware of this latest attack by the Iranian outfit. The attack saw hackers impersonating SOAS academics in fake emails, asking professors, journalists and other Middle East experts to attend conferences and discussions.
After conversing and gaining their trust, the Iranian hacking group sent the experts to a spoof web page that they had added to an independent radio station based at SOAS.
The page invited the experts to submit their personal details, including a password, to access the fake events.
Details harvested by the cyber operation were then used to access other sites, such as the experts’ email accounts.
Proofpoint said the Iranian group may have also used mobile numbers gathered at the site to infect phones with malware.
It said it knew of around a dozen experts who were targeted, most of them based in Britain and the US.
The operation proved that state-sponsored hackers “are really back in the seat,” said Sherrod DeGrippo, Proofpoint’s senior director of threat research.
“Iran has always been very focused on (compromising) academics, scientists, professors and diplomats. This just shows that they’re continuing that focus, most likely because it’s been paying off.”
Proofpoint, in a report released on Tuesday, said the group is gathering information regarding geopolitics and foreign policy, especially on Iranian dissidents’ behavior.
SOAS said no personal information from its systems had been breached during the cyberattack.
“Once we became aware of the dummy site … we immediately remedied and reported the breach in the normal way,” it added. SOAS said it had “taken steps to further improve protection of (its) peripheral systems.”
