Iranian hackers impersonated academics to commit cyber-espionage

The hacker group compromised a website belonging to the School of Oriental and African Studies (SOAS), University of London and attempted to steal information.

Uncovered by cyber-security company Proofpoint, the attackers are believed to be associated to the Iranian state. 

Earlier this year, email claiming to be from a “senior teaching and research fellow” at SOAS University in London invited people to an online conference named The US Security Challenges in the Middle East. The emails were not sent by the real academic but rather a cyber-espionage group linked to the Iranian Revolutionary Guards.

Once a conversation was started, the target was emailed a “registration link” hosted by a real website which had been compromised already by the attackers. The website belonged to SOAS radio, an independent online radio station and production company. 

The link offered a means to log on using email providers which could then capture the usernames and passwords. 

“(It) is highly unusual and more sophisticated for this group,” Sherrod DeGrippo, senior director, threat research and detection for Proofpoint told the BBC.

It was noted that the conversation between the fake academic and the target could be very long in order to build trust before sending the registration link. In one instance, the target asked for more information and the attackers suggested they connect via video conference. 

According to Proofpoint, the operation was very focused and targeted senior think-tank personnel working on the Middle East, academics and journalists focused on the region.

It is believed that they were likely targeted because they might have information on foreign policy of countries towards Iran, information about Iranian dissidents or information regarding negotiations over Iran’s nuclear programme. 

SOAS says no personal information was obtained and its own data systems were not impacted. The university added that the compromised website was separate from the official SOAS website. 

“Once we became aware of the dummy site earlier this year, we immediately remedied and reported the breach in the normal way. We have reviewed how this took place and taken steps to further improve protection of these sort of peripheral systems,” the university told the BBC in a statement.