Account Takeover Fraud , Cybercrime , Cyberwarfare / Nation-State Attacks
Iranian Hackers Accidentally Exposed Training VideosIBM: Videos Describe Attacks on US Navy and State Department Personnel
An Iranian-backed hacking group appears to have accidentally left over 40 GB of training videos and other material exposed online, according to researchers at IBM, X-Force who found the unprotected server. The material includes videos describing attacks aimed at U.S. Navy and State Department personnel.
See Also: OnDemand | Understanding Human Behavior: Tackling Retail's ATO & Fraud Prevention Challenge
The videos, some of which are five-hours long, show desktop recordings of the hacking group's activities, which appear to have been made to help train other potential hackers and recruits. They also show how the group uses techniques such as phishing emails against their targets, according to IBM.
The server and the videos belong to a hacking group that IBM calls ITG18. Other researchers call the group Charming Kitten or Phosphorus. The group, considered one of Iran's top state-sponsored hacking groups, has been linked to operations aimed at the U.S. and other nations (see: Microsoft: Iran-Backed Group Targeted a Presidential Campaign).
"What we found very interesting is, in fact, the lack of sophistication used by ITG18 to carry out their operations," Richard Emerson, cyberthreat analyst with IBM, tells Information Security Media Group. "The use of off-the-shelf, legitimate tools to collect and exfiltrate victim data really goes to show that Iranian threat actors don't need to be sophisticated to be effective. Another thing we gleaned from this research is the sheer speed with which ITG18 actors operated - in some cases the operator was in and out of email accounts within two minutes. That goes to show that these are actions and movements they've likely done many times before."
After discovering and then analyzing the videos in May, IBM contacted several U.S. federal government agencies and shared the results with authorities, Emerson says. About a week after the discovery, the hacking group closed off access to the server, according to IBM.
Videos Show Targeting
In the videos seen by IBM researchers, Iranian hackers appear to have targeted a U.S. Navy sailor, an Iranian-American philanthropist, U.S. State Department officials and an officer with the Hellenic Navy - the naval force of Greece, according to the report.
Although not every operation against these targets was successful, the researchers note that, in some cases, the hackers were able to access email and social media accounts and use their data for precision targeting.
The attackers recorded these hacking activities using a screen-recording app called BandiCam. These videos were then used to train new recruits, according to the researchers.
IBM researchers discovered a total of five videos with titles such as "AOL.avi," "Aol Contact.avi," "Gmail.avi," "Yahoo.avi" and "Hotmail.avi." These videos showed how the hacking group uses stolen credentials from various social media and email platforms to demonstrate to recruits how to exfiltrate datasets from these accounts, the researchers note.
In one video, an attacker can be seen engaging in an unsuccessful phishing attempt targeting the email accounts of an unnamed Iranian-American philanthropist, two U.S. State Department officials and one account that was associated with the U.S. Virtual Embassy of Iran, according to the report.
"The recording appeared to show bounce-back emails in the operator’s inbox, notifying them that these possible spear-phishing emails did not go through, though we do not know the theme," the IBM researchers note.
The researchers also uncovered three videos in which the ITG18 hackers successfully compromised accounts associated with U.S. and Greek naval officers, according to the report.
"The videos show the operator following a similar playbook to the training videos involving the personal accounts," according to IBM "Once successful access to victims' accounts was gained, the ITG18 operator actively deleted notifications sent to the compromised accounts suggesting suspicious logins, presumably as to not alert the victims."
The attackers then proceeded to export the account contacts, photos and documents from various cloud storage sites, such as Google Drive, from the compromised email accounts, according to the researchers.
Using the compromised emails, the attackers then obtained other trivial information, such as details on their pizza delivery schedule, student financial aid, municipal utilities, baby products and video games, to create more precise targeting of the victim, the report notes.
The IBM researchers further note that some other videos showed the attackers successfully bypassing two-factor authentication.
In June, researchers with Google found that this same Iranian hacking group, which they call APT35, unsuccessfully targeted the presidential campaign of Donald Trump (see: Google: Phishing Attacks Targeted Trump, Biden Campaigns).
The Google researchers also found that a hacking group associated with China's government attempted to target the campaign of Democratic presidential nominee Joe Biden at about the same time.