Security News

Masquerading as UK scholars with the University of London's School of Oriental and African Studies, the threat actor TA453 has been covertly approaching individuals since at least January 2021 to solicit sensitive information. The threat actor, an APT who we assess with high confidence supports Islamic Revolutionary Guard Corps intelligence collection efforts, established backstopping for their credential phishing infrastructure by compromising a legitimate site of a highly regarded academic institution to deliver personalized credential harvesting pages disguised as registration links.

In a recent attack campaign, the Iran-linked threat actor tracked as TA453 has been posing as UK scholars with the University of London's School of Oriental and African Studies to engage targets of interest and steal their credentials, security researchers with Proofpoint reveal. Believed to be supporting the information collection efforts of the Iranian Revolutionary Guard Corps, TA453 engaged in benign conversations with their targets, up to the point when they served a 'registration link' leading to a legitimate, albeit compromised website of University of London's SOAS radio.

A sophisticated social engineering attack undertaken by an Iranian-state aligned actor targeted think tanks, journalists, and professors with an aim to solicit sensitive information by masquerading as scholars with the University of London's School of Oriental and African Studies. "Identified targets included experts in Middle Eastern affairs from think tanks, senior professors from well-known academic institutions, and journalists specializing in Middle Eastern coverage," the researchers said in a technical write-up shared with The Hacker News.

Websites of Iran's transport and urbanization ministry Saturday went out of service after a "Cyber disruption" in computer systems of its staff, the official IRNA news agency reported. This is the second abnormality in computer systems related to the ministry.

Threat hunters at Kaspersky are sounding a warning for an Iranian APT actor that has been silently conducting domestic cyber-surveillance operations for the last six years. The newly discovered APT, which Kaspersky calls Ferocious Kitten, has been active since at least 2015 and has used clever computer infection tricks to hijack Telegram and Chrome installations to deploy a malicious payload. The Russian cybersecurity vendor said it also observed signs that Android implants have been used to target mobile users in Iran.

Over the past year, an Iran-linked threat actor named Agrius has been observed launching destructive attacks on Israeli targets, under the disguise of ransomware attacks, according to endpoint security company SentinelOne. Likely state-sponsored, the threat group initially engaged in cyberespionage attacks, but then attempted to extort victims, claiming to have exfiltrated and encrypted data.

An Iranian hacking group has been observed camouflaging destructive attacks against Israeli targets as ransomware attacks while maintaining access to victims' networks for months in what looks like an extensive espionage campaign. "Initially engaged in espionage activity, Agrius deployed a set of destructive wiper attacks against Israeli targets, masquerading the activity as ransomware attacks," said Amitai Ben Shushan Ehrlich, Threat Intelligence Researcher at SentinelOne.

Iran has been linked to yet another state-sponsored ransomware operation through a contracting company based in the country, according to new analysis. "Iran's Islamic Revolutionary Guard Corps was operating a state-sponsored ransomware campaign through an Iranian contracting company called 'Emen Net Pasargard'," cybersecurity firm Flashpoint said in its findings summarizing three documents leaked by an anonymous entity named Read My Lips or Lab Dookhtegan between March 19 and April 1 via its Telegram channel.

An Iranian threat actor has unleashed a new cyberespionage campaign against a possible Lebanese target with a backdoor capable of exfiltrating sensitive information from compromised systems. Cybersecurity firm Check Point attributed the operation to APT34, citing similarities with previous techniques used by the threat actor as well as based on its pattern of victimology.

Deviating from their typical activity, an Iranian threat actor known as TA453 has mounted a phishing campaign targeting senior medical professionals in the United States and Israel, cybersecurity firm Proofpoint reports. Also referred to as Charming Kitten, Phosphorus, APT35, Ajax Security Team, ITG18, NewsBeef, and Newscaster, the group has been active since at least 2011, mainly targeting activists, journalists, and other entities in the Middle East, the U.K., and the U.S. The new campaign, which Proofpoint named BadBlood due to its focus on medical personnel, targeted individuals specialized in genetic, neurology, and oncology research, in line with a broader trend in which threat actors are targeting medical research.