Close this search box.

Sophisticated social engineering: How Iranian hackers passed as top Uni scholars


Key takeaways

  • A sophisticated social-engineering attack where attackers passed off as scholars from the prestigious London-based SOAS
  • Led by the threat actor group called TA453
  • Seemingly on behalf of Iran’s IRGC, a government-backed intelligence unit
  • Highlights the significant extent state-actors will go to, using proxy groups as a front.

A sophisticated social engineering attack undertaken by an Iranian-state aligned actor targeted think tanks, journalists, and professors with an aim to solicit sensitive information by masquerading as scholars with the University of London’s School of Oriental and African Studies (SOAS).

Called “Operation SpoofedScholars“, the campaign was led by the advanced persistent threat tracked as TA453, which is also known by the aliases APT35 (FireEye), Charming Kitten (ClearSky), and Phosphorous (Microsoft).

The government cyber warfare group is suspected to carry out intelligence efforts on behalf of the Islamic Revolutionary Guard Corps (IRGC).

The attack seems to have targeted experts in Middle Eastern affairs from think tanks, senior professors from well-known academic institutions, and journalists specialising in Middle Eastern coverage. The campaign shows a new escalation and sophistication in TA453’s methods.

An examples of the threat actors’ level of social-engineering, where they attempted to pass off as scholars from prestigious London-based university SOAS

The attack chain involved the threat actor posing as British scholars to a group of select victims in an attempt to entice the target into clicking on a registration link to an online conference that was intended to capture a variety of credentials from Google, Microsoft, Facebook, and Yahoo.

To lend it an air of legitimacy, the credential phishing infrastructure was hosted on a genuine but compromised website belonging to the University of London’s SOAS Radio, through which credential harvesting pages (disguised as registration links) were delivered to unsuspecting recipients.

The threat group strengthened the credibility of the attempted credential harvest by utilising personas masquerading as legitimate affiliates of SOAS.

The attacks are believed to have commenced as far back as January January 2021, before the group subtly shifting their tactics in subsequent email phishing campaigns.

Earlier this year, the same group targeted senior medical professionals who specialised in genetic, neurology, and oncology research in Israel and the U.S.

In response, SOAS released a statement, saying:

We understand that hackers created Gmail accounts to pretend to be academics and created a dummy site to seek to collect data from people they were targeting. This dummy page was placed on the website of SOAS Radio, which is an independent online radio station and production company based at SOAS. The website is separate from the official SOAS website and is not part of any of our academic domains. We understand the target was not SOAS itself, but external individuals.

To be clear, academic staff at SOAS of course have no involvement in this process, nor has any action or statement by SOAS staff led to them being spoofed in this way. There was no suggestion of breach of cybersecurity by any SOAS staff.

SOAS statement

The incident highlights the extent state-actors will go to in order to use every “cyber trick” in the book to extract information for national interests, often using proxy groups as a front. This is far from a rare occurrence, and such social engineering campaigns highlight that almost no one is immune.

The threat group strengthened the credibility of the attempted credential harvest by utilising personas masquerading as legitimate affiliates of SOAS.

From corporations to universities and everyone in between, organisations big and small need to educate their constituents, staff and stakeholders of the basics of cyber security and social and cyber threats in order to ensure their information is safe. If even seasoned academics aren’t immune, then almost no one is.

Ahmed Khanji

Ahmed Khanji

Ahmed Khanji is the CEO of Gridware, a leading cybersecurity consultancy based in Sydney, Australia. An emerging thought leader in cybersecurity, Ahmed is an Adjunct Professor at Western Sydney University and regularly contributes to cybersecurity conversations in Australia. As well as his extensive background as a security advisor to large Australian Enterprises, he is a regular keynote speaker and guest lecturer on offensive cybersecurity topics and blockchain.


Sydney Offices
Level 12, Suite 6
189 Kent Street
Sydney NSW 2000
1300 211 235

Melbourne Offices
Level 13, 114 William Street
Melbourne, VIC 3000
1300 211 235

Perth Offices
Level 32, 152 St Georges Terrace
Perth WA 6000
1300 211 235


Learn more about the team at the forefront of the Australian Cyber Security scene.

About Us →

Meet the Team →

Partnerships →

Learn more about the team at the forefront of the Australian Cyber Security scene.

Career Opportunities →

Internships →

Media appearances and contributions by Gridware and our staff.

See More →



Whether you need us to take care of security for you, respond to incidents, or provide consulting advice, we help you stay protected.

View all services →

Web App Pen. Test Calculator →

Network Pen. Test Calculator →

Governance & Audit

Legal and regulatory protection

Penetration Testing

Uncover system vulnerabilities

Remote Working & Phishing

Fortify your defenses

Cyber Security Strategy

Adaptation to evolving threats

Cloud & Infrastructure

Secure cloud computing solutions

Gridware 360

End-to-end security suite

Gridware Managed Services

Comprehensive & proactive security

Gridware CloudControl

Harness the benefits of cloud technology

Gridware Incident Response 24/7

Swift, expert-led incident resolution



A collection of our published insights, whitepapers, customer success stories and more.

Customer success stories from real Gridware customers. Find out how we have helped others stay on top of their Cyber Security.

Read More →