Iranian hackers with links to the country's Islamic Revolutionary Guard Corps impersonated two academics in an attempt to hack journalists, think tank analysts, and other academics, according to a new report.
In early 2021, the hackers—dubbed inside the industry as Charming Kitten or TA453—sent emails to targets pretending to be Dr. Hanns Bjoern Kendel, and Dr. Tolga Sinmazdemir, who both teach international relations with a focus on the Middle East at School of Oriental and African Studies (SOAS) University of London. The hackers tried to establish communication with invites to fake conferences or events, and went as far as requesting a call with the targets, security firm Proofpoint wrote in a new report published on Tuesday.
"It's bold," Sherrod DeGrippo, the senior director of threat research and detection at Proofpoint said in a phone call, adding that it's not too common to see state-sponsored actors being so chatty and trying to set up calls.
Kendel, one of the academics that the hackers impersonated, told Motherboard that "of course it's stressful" to be used as bait, but he also looked at the bright side.
“On the upside I had conversations with a lot of interesting people that I would probably not have had interaction with otherwise. I’m taking it as a lived case study,” he said in an email.
"I think it was smart of them to pick me. The UK does not recognise identity theft as a crime in itself," Kendel added. "Working in the field of diplomacy and at a renowned institution, yet not senior enough to be implausible for first contact. A mixture of slightly clumsy but also highly sophisticated."
Do you research or track similar hacking campaigns? We’d love to hear from you. You can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, OTR chat at firstname.lastname@example.org, or email email@example.com
DeGrippo added that sometimes hackers don't actually get on a call but just do this to get the victim's username on a particular app, or their phone number, which could be useful for future hacking attempts. Or, she speculated, perhaps the hackers' government could put that number on an espionage list in case the targets ever travel to the country and use a phone network under the governments' control.
In this case, the hackers' main goal was to steal targets' passwords. They took control of a real webpage linked to SOAS and inserted malicious login buttons for Google, Yahoo, Microsoft, Outlook, AOL, and Facebook, according to the report.
"No personal information was obtained from SOAS, and none of our data systems (eg staff and student records, financial information, emails and core ac.uk website and so on) were involved or affected by this," an SOAS spokesperson told Motherboard in an email, adding that the site used by the hackers was part of an independent online radio station and production company based at SOAS.
Amin Sabeti, the founder of CERTFA, an independent security research group that focuses on Iranian hackers, said that this campaign is very similar to previous ones he and his colleagues have seen. Sabeti said they recently saw similar emails, which he believes are part of the same campaign, targeting a journalist.
Proofpoint researchers wrote in the report that they attribute this campaign to Iran based on the fact that the hackers used similar techniques to previous campaigns attributed to Charming Kitten, a group that is widely believed to be linked to Iran's IRGC.
Sabeti said that this is not the first time Charming Kitten has impersonated real people to target victims who are interesting for the Iranian regime. He also said it's not the first time they tried to get targets on the phone. In the past, Sabeti said, some victims were tricked into taking the hackers' call. Then the Iranian government published manipulated or out of context recorded snippets of those conversations in an attempt to discredit the people they tricked into getting on the phone for propaganda, according to Sabeti.
"They know what they are doing [...] They know how to identify the target and then create a profile around that target and then attack it," Sabeti said. "They are so good at social engineering, but they're shit designing malware."
DeGrippo agreed with Sabeti.
"What we're seeing here is that TA453 is really honing in on who they want to get data from, and who they want to be interacting with and tracking," she said.
Last year, CERTFA caught Iranian hackers impersonating a veteran journalist who now works for The New York Times in an attempt to hack an academic. In their report at the time, the researchers attributed the hacking attempts to Charming Kitten.
Proofpoint researchers said that the hacking group is likely working for the IRGC, given its tactics and targets. According to Sabeti, however, there is no doubt.
"I can tell you 100% they are linked to the IRGC," he told Motherboard in a phone call.
Iran's mission to the United Nations did not immediately respond to a request for comment.
Subscribe to our cybersecurity podcast CYBER, here.