Enlarge /. The flag of the Islamic Republic of Iran.
Iranian state hackers were recently caught with their pants down when researchers uncovered more than 40 GB of data, including training videos that show how activists hack opponents' online accounts and then cover up their tracks.
The activists were part of ITG18, a hacking group that overlaps with another outfit, alternatively known as Charming Kitten and Phosphorous, which researchers believe also works on behalf of the Iranian government. The affiliation has long been targeting US presidential campaigns and US government officials. In the past few weeks, ITG18 has also targeted pharmaceutical companies. Researchers generally think it's a determined and persistent group that invests heavily in new tools and infrastructure.
In May, the IBM X-Force IRIS security team received the 40 GB data cache when it was uploaded to a server that hosted multiple domains that were known to be used by ITG18 earlier this year. The most meaningful content was training videos that outlined the group's tactics, techniques, and procedures, while group members did real hacks on opponents' email and social media accounts.
The footage contained:
- Nearly five hours of video show operators searching and filtering data from multiple compromised accounts of two people, one of whom is a U.S. Navy member and the other an experienced Greek Navy personnel officer.
- Failed phishing attempts against State Department officials and an Iranian-American philanthropist. The errors were the result of emails bouncing off because they appeared suspicious.
- Online personas and Iranian phone numbers used by group members.
Collecting data is a potential intelligence coup as it allows researchers (and probably U.S. officials) to identify the strengths and weaknesses of an opponent who is constantly improving his hacking talent. Defenders can then improve protection to keep the attackers away. A bird's eye view may also have signaled plans for future ITG18 operations.
A rare opportunity
"There are rarely ways to understand how the operator behaves behind the keyboard, and there are even fewer records that the operator has created and shows how it works," wrote IBM researchers Allison Wikoff and Richard Emerson in an am Post published Thursday. "But that's exactly what X-Force IRIS uncovered at an ITG18 operator whose OPSEC errors offer a unique look behind the scenes of their methods and possibly their prerequisites for broader operations that are likely to be underway."
The videos were recorded using a desktop recording tool called Bandicam and were between two minutes and two hours long. Timestamps indicated that the videos were taken about a day before uploading. Five of the videos showed how operators insert passwords into vulnerable accounts and then demonstrate how contacts, photos and other data stored there and in the associated cloud storage can be efficiently filtered out.
Enlarge /. An ITG18 operator desktop from a bandicam recording.
IBM X-Force IRIS
The footage also showed the settings that group members have changed in the security configurations of each compromised account. The changes enabled hackers to connect some of the accounts to Zimbra, an email collaboration program that allows multiple accounts to be merged into a single interface. With Zimbra, hacked email accounts could be managed simultaneously.
Enlarge /. An image capture by an ITG18 operator who synchronizes a persona account with Zimbra.
BM X-Force IRIS
Three other videos showed that operators had compromised several accounts related to a recruited U.S. Navy member and a Greek Navy officer. ITG18 members had credentials for their personal email and social media accounts. In many cases, the hackers deleted emails to inform the targets of suspicious logins in their accounts.
The attackers also accessed files that included naval military units, their naval base, residence, personal photos and videos, and tax records. Operators methodically searched the target's other accounts, including those on video streaming websites, pizza delivery services, credit bureaus, mobile operators, and more.
"The operators seem to have meticulously collected trivial social information about the people," wrote the IBM researchers. “Overall, the operator tried to verify credentials for at least 75 different websites between the two people.
Other videos showed the Iranian phone number and other profile details for a fake person that ITG18 members used in their operations. The video also revealed attempts to send phishing emails to the Iranian-American philanthropist and two possible State Department officials.
Another potentially useful discovery: If operators use a password to successfully access an account that is protected by multi-factor authentication, they will not continue. This suggests that Charming Kitten's previously disclosed ability to bypass multi-factor authentication is limited.
IBM's behind-the-scenes report shows the double-edged sword used by spy hackers. While their operations often provide useful information about their targets, the targets can also be done on Spy vs. Reverse Spy Way.