BACKGROUND:
The Proofpoint has uncovered an Iranian group called “SpoofedScholars” targeting universities and academic individuals. It is believed that the group has successfully compromised the website belonging to the School of Oriental and African Studies (SOAS) and the University of London to try to steal the confidential information. They also operate with a different name “Charming Kitten” and mainly target in US and UK using sophisticated techniques.
<p>This attack heavily relied on social engineering, and so, highlights the need for institutions to educate staff and students by running phishing exercises and raising awareness of the latest attack vectors through threat intelligence research. In much the same way that dirt is good for the immune system, exposing employees to the techniques used by cyber attackers is extremely important. Furthermore, organisations should also provide staff and students with comprehensive protection from external threats covering network, email, and host-based monitoring to spot attacks, implementing an extra layer of defence. </p>
<p>For students and staff associated with institutions affected by this attack it is important to remain cautious and act as if your details have been breached until notified otherwise. Also consider the password you utilise for associated accounts, if this has been duplicated on other accounts, this should be changed promptly.</p>
<div>The credential harvesting operation aligns with UNC788, an Iran-nexus threat actor frequently targeting journalists, government officials, and the Iranian diaspora and members of the opposition. In 2021, UNC788 used compromised email accounts to target Middle East researchers, U.S. government officials involved in Middle East and Iran policy, and Iranian diaspora figures. UNC788 has frequently impersonated individuals, in one case, the actor posed as a well-known journalist requesting an interview to gain the target\’s trust before directing them to a credential harvesting page.</div>
<div>
<p>This sort of attack is, in truth nothing, new. It is simply a well-orchestrated phishing attack designed to steal usernames and passwords from targeted groups of people. It is very easy to create a “fake” version of a legitimate website and hide the bad intentions without the victims noticing. This time, however, the alleged <span class=\"il\">Iranian</span> hackers found it easier to compromise a legitimate website instead of harvesting credentials. While logging onto sites using social media credentials such as Google, Facebook & Microsoft offer convenience to people, it also offers convenience to hackers; if they can fool you into giving away those credentials they can get into a lot more systems, including your email where all the password reset notifications go. It\’s like getting the keys to the kingdom. It is more important than ever to ensure that you and your users are not using a known compromised password.</p>
</div>
<p>Unfortunately, higher education institutions are at high risk of being targeted by cybercriminals as they harbour highly sensitive information on both individuals as well as on-going, cutting-edge research. Indeed, they are home to some of the most advanced research projects in the world. Moreover, due to a prevalent use of emails and lack of security awareness training among staff and students, the chances of someone falling victim to a phish are rather high. </p>
<p>This cyber-espionage attempt by the Iranian group, “Charming Kitten”, demonstrates an urgent need to train students and professors alike to spot suspicious emails. Some top tips include checking the email address as well as the sender (if it\’s from @<a href=\"http://gmail.com\" target=\"_blank\" rel=\"noopener\" data-saferedirecturl=\"https://www.google.com/url?q=http://gmail.com&source=gmail&ust=1626276113299000&usg=AFQjCNFfkPrYwXLk2RO_bjq2zakm3F4PSg\">gmail.com</a> it\’s probably not a legitimate organisation), looking for grammatical mistakes, or a strange sense of urgency in the messaging. If an individual realises they have been breached, they should immediately take action by changing their personal password and alerting the university.</p>
<p>It’s unusual but not unheard of for malicious actors to contact individuals as part of their attack profile. Earlier this year, for example, young patients at the Vastaamo Clinic in Finland were approached individually by the perpetrator of a Ransomware attack when the company refused to pay them itself. In this case, targeting academics is a fairly safe undertaking as they represent a vast, multinational community and their job is to collaborate. To this end, things like conference invitations are commonplace and a good cover for the attack described by Proofpoint in their report. The best defence for any individual who may be targeted is critical thinking. Always question messages, corroborate information and check credentials independently. It’s often a good idea, if conferences and events make up a substantial part of your work, to set up a separate email account etc. for event registrations to sandbox your regular contact details. Most people do this to stop all of the post-event marketing material but it’s a good protection tool too. I’m sure these types of attacks will grow in popularity as the methodologies become known so getting a head start and training yourself to be circumspect and cautious can only be a good thing.</p>