Iranian military using spoofed personas to target nuclear security researchers

Hackers connected to Iran’s Islamic Revolutionary Guard Corps are allegedly using multiple personas in phishing emails to target organizations and people with information on Israel and several Gulf States, the Abraham Accords, and nuclear arms control, according to new research.

A report published Tuesday from cybersecurity firm Proofpoint tied the campaign to Iranian state-sponsored threat actor TA453, which is also known to researchers as Charming Kitten, PHOSPHORUS and APT42.

The group is using spoofed email addresses from real individuals working at the PEW Research Center, the Foreign Policy Research Institute, the UK’s Chatham House and the scientific journal Nature in spear-phishing attacks that feature emails with multiple fake personas.

The multi-person email threads are meant to make the phishing emails seem more legitimate, Proofpoint researchers explained, calling the tactic “Multi-Persona Impersonation.”

“State-aligned threat actors are some of the best at crafting well thought-out social engineering campaigns to reach their intended victims,” said Sherrod DeGrippo, vice president of threat research and detection at Proofpoint. “In this case, our researchers have seen the Iran-aligned TA453 actor step up its game by using Multi-Persona Impersonation — capitalizing on social proof to get their target to buy into their cons.”

DeGrippo added that the technique is intriguing because it requires more resources to be used per target and may involve potentially burning more personas.

The tactic also requires a more coordinated approach among the various personalities in use by TA453, DeGrippo said. 

The report said the goal of the campaign — which began in June 2022 — is to steal sensitive data and intelligence.

The researchers shared multiple examples of the group purporting to be a journalist or policy adjacent individual interested in collaborating with the target of the campaign. 

“In this first campaign, TA453 started the conversation masquerading as ‘Aaron Stein, Director of Research at FRPI.’ The actor included a variety of questions intended to generate a dialogue about Israel, the Gulf States, and the Abraham Accords,” the researchers explained.  

“While these questions are generally meant to establish a pretext for sending a follow-up credential harvesting link or to deliver a malicious document, it is also possible they represent intelligence questions tasked to TA453. In the email, TA453’s ‘Aaron Stein’ launched the threat actor’s use of Multi-Persona Impersonation (MPI) by referring to and including a ‘Richard Wilke, director of global attitudes research at PEW Research Center’ on the CC line.”

The fake “Richard Wilke” account responded to the first email in an attempt to make the email chain seem legitimate. 

Proofpoint found another email in the campaign targeting someone involved in genome research using three different hacker-controlled accounts. When the target replied to the email, the hackers sent a OneDrive link that downloaded a malicious Word doc. 

Another email targeted a prominent academic involved in nuclear arms control about a “possible U.S. versus Russia clash” using a fake persona. Proofpoint said this email represented an evolution in the tactic because the hackers CC’d other targets that worked at the same university. 

When the target responded, they were sent a malicious document titled “The possible US-Russia clash.docx."

The group is already creating variations of the same tactic, now sending blank emails to targets before sending follow-up emails apologizing for the blank message and CCing other compromised identities. 

DeGrippo said researchers involved in international security, particularly those specializing in Middle Eastern studies or nuclear security, should maintain a heightened sense of awareness when receiving unsolicited emails. 

“For example, experts that are approached by journalists should check the publication’s website to see if the email address belongs to a legitimate reporter," DeGrippo added. 

Last week, Mandiant released a report on APT42's seven-year campaign targeting government officials, journalists, academics, and opposition leaders around the world.

Google researchers attributed another email campaign to the same group in August, noting that the hackers were using a novel tool to download Gmail, Yahoo, and Microsoft Outlook inboxes.

Get more insights with the
Recorded Future
Intelligence Cloud.
Learn more.
No previous article
No new articles

Jonathan Greig

Jonathan Greig is a Breaking News Reporter at Recorded Future News. Jonathan has worked across the globe as a journalist since 2014. Before moving back to New York City, he worked for news outlets in South Africa, Jordan and Cambodia. He previously covered cybersecurity at ZDNet and TechRepublic.