Iranian Hackers Accidentally Exposed Their Training Videos
An OPSEC error by an Iranian threat actor has laid bare the inner workings of the hacking group by providing a rare insight into the “behind-the-scenes look into their methods.” IBM’s X-Force Incident Response Intelligence Services (IRIS) got hold of nearly five hours worth of video recordings of the state-sponsored group it calls ITG18 (also called Charming Kitten, Phosphorous, or APT35) that it uses to train its operators.
Discovered by IBM’s X-Force cyber-security division, researchers believe the videos are tutorials the Iranian group was using to train new recruits.
According to X-Force analysts, the videos were recorded with a screen-recording app named BandiCam, suggesting they were recorded on purpose and not accidentally by operators who got infected by their own malware.
Videos showed basic account hijacking techniques
The videos showed Iranian hackers performing various tasks and included steps on how to hijack a victim’s account using a list of compromised credentials.
Email accounts were primary targets, but social media accounts were also accessed if compromised account credentials were available for the target.
X-Force described the process as meticulous, with operators accessing each and every victim account, regardless of how unimportant the online profile.
This included accessing a victim’s accounts for video and music streaming, pizza delivery, credit reporting, student financial aid, municipal utilities, banks, baby product sites, video games, and mobile carriers, according to IBM X-Force. In some cases, operators validated credentials for at least 75 different websites across two individuals, they said.
Hackers accessed each account’s settings section and searched for private information that might not be included in other online accounts as part of their efforts to build a profile as complete as possible about each target.
IBM didn’t detail how the hackers obtained the credentials for each victim. It is unclear if the operators had infected the targets with malware that dumped passwords from their browsers, or if the operators had bought the credentials off the underground market.
Other videos showed how to export account data
In other videos, the operator also went through the steps to exfiltrate data from each account. This included exporting all account contacts, photos, and documents from associated cloud storage sites, such as Google Drive.
X-Force researchers say that in some cases, the operators also accessed a victim’s Google Take-out utility to export details such as the full content of their Google Account, including location history, information from Chrome, and associated Android devices.
In some clips, the researchers say they observed the hackers working through a text document full of usernames and passwords for a long list of non-email accounts, from phone carriers to bank accounts, as well as some as trivial as pizza delivery and music-streaming services. “Nothing was off-limits,” Wikoff says. The researchers note that they didn’t see any evidence that the hackers were able to bypass two-factor authentication, however. When an account was secured with any second form of authentication, the hackers simply moved on to the next one on their list.
The sort of targeting that IBM’s findings reveal fits with previous known operations tied to APT35, which has carried out espionage on behalf of Iran for years, most often with phishing attacks as its first point of intrusion. The group has focused on government and military targets that represent a direct challenge to Iran, such as nuclear regulators and sanctions bodies. More recently it has aimed its phishing emails at pharmaceutical companies involved in Covid-19 research and President Donald Trump’s re-election campaign.
It’s hardly unprecedented for hackers to accidentally leave behind revealing tools or documents on an unsecured server, points out former NSA staffer Emily Crose, who now works as a researcher for the security firm Dragos. But Crose says she’s not aware of any public instance of actual videos of state-sponsored hackers’ own operations being left for investigators, as in this case. And given that the hacked accounts likely also contain evidence of how they were compromised, she says the leaked videos may well force the Iranian hackers to change some of their tactics. “This kind of thing is a rare win for the defenders,” Crose says. “It’s like playing poker and having your opponents lay their entire hand out flat on the table in the middle of the last flop.”
Among the targeted accounts were staffers at the US State Department, an Iranian-American philanthropist, as well as US and Greek military personnel.