‘Iranian hackers’ impersonated academics at London university

Iranian hackers impersonated academics at London’s School of Oriental and African Studies to conduct an online espionage campaign targeting experts on the Middle East, according to the cyber security company Proofpoint.

The hacking attempt was carried out by a group called Charming Kitten, also known as “Phosphorus” and APT35, which is widely thought by regional experts to carry out intelligence efforts on behalf of Iran’s elite Revolutionary Guard.

Iran — alongside Russia, China and North Korea — is one of the most potent cyber aggressors facing the UK and its allies. Lindy Cameron, chief executive of the National Cyber Security Centre, a branch of signals intelligence agency GCHQ, warned last month that Iran was using digital technology to “sabotage and steal” from a range of British organisations.

The NCSC has previously highlighted Iran’s particular interest in online espionage aimed at UK academics, including a 2018 campaign that harvested personal details from university staff by creating fake web pages linked to academic libraries.

The most recent operation, identified by Proofpoint, involved hackers sending out spoof emails purporting to be from a real Soas academic, inviting recipients to take part in conferences and events. Once a rapport had been established, the recipients, who were experts in Middle Eastern affairs from think-tanks, academia and journalism, were directed to a dummy web page that hackers had inserted into the site of Soas Radio, an independent online broadcaster based at the university. 

On this page, the espionage targets were invited to “register” for events by providing personal details, including a password, which were seized by the hackers and used to access other sites, such as the individuals’ email accounts. The targets were also encouraged to share their mobile phone numbers, which Proofpoint said might have been an attempt to insert malware into the devices.

The cyber security company, which published details of the campaign on Tuesday, is aware of about 10 individuals who were targeted, most of whom were based in the US and the UK. The campaign began as far back as January, and a few months later the hackers started sending emails claiming to be from a second Soas academic. These individuals are not accused of any wrongdoing.

Sherrod DeGrippo, senior director of threat research at Proofpoint, said the campaign was evidence that after a reduction in operations by some hacking groups at the height of Covid-19 lockdowns last year, state-sponsored hackers “are really back in the seat”.

“Iran has always been very focused on [targeting] academics, scientists, professors and diplomats,” DeGrippo added. “This just shows that they are continuing that focus, most likely because it’s been paying off.”

In its report, Proofpoint said the hackers had been seeking information about foreign policy, including insights into Iranian dissident movements, and an understanding of Tehran’s negotiations with the US on nuclear matters.

Soas emphasised that the target of the hacking attempt was not the university’s own staff, but other academics, and said there was no suggestion that its employees had breached cyber security protocols.

It said no personal information or data from Soas’s systems had been accessed in the course of the campaign.

“Once we became aware of the dummy site earlier this year, we immediately remedied and reported the breach in the normal way,” it said, adding that the university had “taken steps to further improve protection of [its] peripheral systems”.

The NCSC, which advises on the UK’s cyber defences, said it was “aware” of this campaign and that it was working “closely” with the academic sector to help improve cyber resilience.

“Universities handle valuable data which can make them a lucrative target for malicious cyber actors, including hostile states and cyber criminals,” it said.