How Iranian Hackers Targeted British Experts to Steal Information

Iranian hackers

Governments have enlisted the help of hackers throughout the entirety of the digital age, as user data continues being the target of many institutions, be them governmental or otherwise. These targets not only include state secrets, but also engulf an array of intellectual property as well as academic knowledge.  

Headlines have previously proved the effectiveness of these government-sponsored digital assaults, with hacks originating from China and Russia, and recently Iran claiming sensitive information. 

The Islamic Republic’s history of cyber-hacking has been regularly raising eyebrows, as the country is investing in resources to develop its own cyber forces and organizations according to Catherine Theohary, United States’ specialist in National Security Policy, Cyber and Information Operations.  

Iran’s investment seems to be paying off, as its most recent hacking operation stands out than the rest due to its sophistication and carefully cultivated execution. 

Proofpoint, an American cyber-security company, published a report on Tuesday identifying an Iranian hacker cell posed as British academics at London’s School of Oriental and African Studies (SOAS).  

In a bid to carry out a cyber espionage campaign with the aim of stealing information from academic experts on the Middle East, the hackers under the group name “SpoofedScholars” first began by sending out emails to members of the SOAS university in London.  

The emails contained invitations to an online conference labelled “The U.S. Security Challenges in the Middle East.” The email invited the recipients to speak at the conference. 

The hacker group is widely believed by regional experts in the UK to be linked to Iran’s elite Revolutionary Guard’s intelligence unit. Stealing sensitive information regarding foreign policy, insights into anti-Iranian movements, as well as the United States’ negotiations over Iran’s nuclear program is one of the many ways Iran ensures its one step ahead of its opposition, according to Proofpoint. 

After sending out a flurry of emails from a Gmail account, victims of the cyber-espionage operation began establishing a conversation with the Iranian hackers. This method granted spies the opportunity to send their targets a “registration link” hosted by a real website from the university, which was already breached beforehand by the hackers themselves.  

Graphical user interface, application, website

Description automatically generated
A screenshot of the hacked website which invited recipients of the email to register using their credentials. Credits: Proofpoint. 

The website originally belonged to the university’s online radio station and production company. Through elicitly obtaining the SOAS member’s credentials, Iranian hackers would begin to seize passwords and usernames. Stealing such information is nothing new, but the method of doing so showcased the intricacy of Iranian’s digital hacking skills. 

Sherrod DeGrippo, senior director, threat research and detection for Proofpoint told the BBC that the hacking operation was “highly unusual and more sophisticated for this group.” 

For instance, a member of the SOAS university in London reported that communication with the hacker group was lengthy, which helped establish confidence between both parties. The university member went on to request a private video conference in which the hackers agreed.  

Although it is not stated by Proofpoint if the video call took place, the fact that the Iranian group was willing to connect through video rather than just engaging in emails highlighted the strong trust the hackers boasted in their ability to mimic academics in real life. 

According to Proofpoint, almost 10 organizations were targeted, primarily consisting of professors, and senior think-tank personnel who are knowledgeable on the Middle Eastern affairs, as well as ties to regional journalists. 

Once the university became aware of the breach, the site got taken down and immediately fixed. SOAS issued a statement reassuring members of its staff that personal information as well as the university’s data were not leaked.  

SOAS added that it had “taken steps to further improve protection of its peripheral systems.” 

Earlier last month, Lindy Cameron, chief executive officer at the UK’s National Cyber Security Center, told the Financial Times that British citizens should expect multiple hacking attempts from Iran as their intelligence unit has been utilizing digital technology to steal information. 
 
“Iran has always been very focused on [targeting] academics, scientists, professors and diplomats,” DeGrippo told the Financial Times. “This just shows that they are continuing that focus, most likely because it’s been paying off.”