Iranian APT Gang Phishes Middle East ExpertsProofpoint Describes Campaign That Uses Conference as a Lure
The Iranian advanced persistent threat group TA453 has been conducting a series of spear-phishing attacks in an attempt to steal sensitive information from scholars who study the Middle East, according to security firm Proofpoint.
TA453, also known as Charming Kitten, uses the name of a scholar associated with the University of London's School of Oriental and African Studies as the main lure for the attack. The APT also compromised a website associated with the school as a front for its operation and used it to deliver personalized credential harvesting pages disguised as registration links to online seminars, Proofpoint researchers say.
The goal of the credential harvesting effort is to gain information about foreign policy, insights into Iranian dissident movements and an understanding of U.S. nuclear negotiations, Proofpoint says.
"Identified targets included experts in Middle Eastern affairs from think tanks, senior professors from well-known academic institutions and journalists specializing in Middle Eastern coverage," Proofpoint says.
The TA453 attackers play a "long game" with these attacks, dubbed "Operation SpoofedScholars," engaging their targets in lengthy email conversations using the hijacked scholar's name and a compromised email address, the report notes.
Once TA453 judged the target was interested in attending the online event, it set the hook by presenting the target with access to a fake registration page. The group uses the names of individuals associated with the school to lend legitimacy to their scam and to help solicit conversations with targets, according to Proofpoint.
Targeting appeared to be highly selective, with less than 10 organizations targeted, Proofpoint says.
"These groupings consistently have information of interest to the Iranian government, including, but not limited to, information about foreign policy, insights into Iranian dissident movements and understanding of U.S. nuclear negotiations, and most of the identified targets have been previously targeted by TA453," Proofpoint notes.
TA453 has previously been connected to the Islamic Revolutionary Guard Corps. In November 2020, the U.S. Justice Department seized 27 website domains operated by the Revolutionary Guard Corps that were used for a covert influence campaign targeting the U.S. and other nations.
Using a Conference as a Lure
The phishing campaign attempts to attract academics to an online conference named "The U.S. Security Challenges in the Middle East." During the investigation, Proofpoint witnessed the group quickly changing tactics as it realized certain processes were not working to trick its targets, the report notes.
The security firm describes one case in which it tracked TA453 using email to invite someone to attend the conference. The group then attempted to set up a phone call with the target, who resisted and instead asked for written details on the conference. TA453 supplied this information, but then the group tried to escalate the conversation to a video chat and the victim refused, Proofpoint says.
In many cases, if a phishing target expresses interest in the conference, TA453 confirms the time when the victim intends to register and then sends the registration page link. The timing is important because the APT group needs to be online at the same time to swipe the information, the researchers note.
The link leads to the "webinar control panel" at the University of London's School of Oriental and African Studies, located on the compromised oasradio[.]org website, according to the report.
The APT tries to boost the credibility of the login process by allowing the victim to choose from multiple well-known login methods, including Google, Yahoo, Microsoft, iCloud, Outlook, AOL, mail.ru, Email and Facebook credentials, Proofpoint notes.
"When a particular provider is clicked, a pop-up box displays the actual credential phishing box. Based on the variety of email providers along with TA453's insistence that the target log on when TA453 was online, Proofpoint assesses that TA453 was planning on immediately validating the captured credentials manually," Proofpoint says.
TA453 has a track record of using legitimate online tools and websites to fool its victims into divulging information.
The gang implemented a phishing campaign in late 2020 that used SMS and email messages to spread malicious links in an attempt to steal email credentials in the U.S., Europe and the Persian Gulf region. The targets were individuals working for think tanks and political research centers, university professors, journalists and environmental activists.
In July 2020, the gang began an operation that used LinkedIn and WhatsApp messages to contact U.S. government workers and Israeli academics to build trust and persuade them to visit a phishing page.