Cyber Incident Victim: SOAS University of London
Date:
Jan 2021
Location:
United Kingdom
Summary
An Iranian state-aligned threat actor, TA453, impersonated scholars affiliated with the University of London’s School of Oriental and African Studies (SOAS) to covertly target Middle Eastern affairs experts, journalists, and academics. The group initiated benign email conversations before directing targets to a compromised legitimate website belonging to the institution, hosting credential harvesting pages disguised as webinar registration links. This operation demonstrated increased sophistication through the use of compromised infrastructure rather than actor-controlled domains, aiming to collect sensitive information in support of Iranian intelligence objectives.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
In early 2021, the Iranian state-aligned threat actor TA453 initiated a covert operation targeting individuals of intelligence interest to Iran’s Islamic Revolutionary Guard Corps (IRGC). Masquerading as Dr. Hanns Bjoern Kendel, a purported senior teaching and research fellow at the University of London’s School of Oriental and African Studies (SOAS), the actor used the email address hannse.kendel4[@]gmail.com to solicit conversations with experts in Middle Eastern affairs. TA453 approached senior think tank personnel, journalists specializing in Middle Eastern coverage, and professors from prominent academic institutions under the guise of inviting them to participate in an online conference titled "The US Security Challenges in the Middle East." The initial emails appeared benign, fostering dialogue to establish trust before escalating to malicious activity. After building rapport, TA453 directed targets to click a link purportedly for webinar registration, which led to a credential harvesting page hosted on a compromised legitimate website belonging to SOAS—specifically the subdomain soasradio[.]org. The phishing URI followed the pattern hxxps://soasradio[.]org/connect/?memberemailid=[target-specific alphanumeric string], designed to appear authentic. TA453 also attempted to transition communications to real-time videoconferencing and sought targets’ mobile phone numbers, indicating potential plans for secondary attacks. This operation, dubbed "SpoofedScholars" by Proofpoint researchers, represented a tactical shift for TA453, which historically relied on actor-controlled phishing domains rather than compromised legitimate infrastructure.
Proofpoint identified the campaign through network traffic analysis and email monitoring, noting TA453’s use of additional suspicious accounts like t.sinmazdemir32[@]gmail.com. The threat actor illegally accessed SOAS’s web infrastructure to host phishing pages, exploiting the institution’s reputation to enhance credibility. Targets who submitted credentials through the fraudulent pages risked unauthorized access to their accounts and potential follow-on espionage activities. Proofpoint collaborated with relevant authorities to notify affected parties and advised organizations to scrutinize traffic to the compromised SOAS subdomain. The incident highlighted TA453’s evolving sophistication in social engineering and infrastructure compromise, aligning with IRGC intelligence-gathering priorities. No specific details regarding the number of compromised accounts or the duration of unauthorized access to SOAS systems were disclosed in the available reporting.