New Delhi: In a rare incident, IBM cybersecurity researchers have stumbled upon a trove of data and tutorial videos belonging to a top Iranian hacking group that left the screen recordings open due to operational errors.
IBM X-Force Incident Response Intelligence Services (IRIS) uncovered rare details on the operations of the suspected Iranian threat group called ‘ITG18′, which has been associated with targeting pharmaceutical companies and the US presidential campaigns.
The ‘ITG18′ associates left open a server with more than 40GB data on their operations that have now been analysed by the X-Force IRIS researchers.
Three of the video files discovered reveal that ITG18 had successfully compromised several accounts associated with an enlisted member of the US Navy as well as an officer in the Hellenic Navy.
“Rarely are there opportunities to understand how the operator behaves behind the keyboard, and even rarer still are there recordings the operator self-produced showing their operations,”said Allison Wikoff,
Strategic Cyber Threat Analyst, IBM X-Force IRIS, adding that this provides a unique behind-the-scenes look into their methods and potentially, their legwork for a broader operation that is likely underway.
During three days in May, IBM X-Force IRIS discovered the 40 GBs of video and data files being uploaded to a server that hosted numerous ITG18 domains used in earlier 2020 activity.
Some of the videos showed the operator managing adversary-created accounts while others showed the operator testing access and exfiltrating data from previously compromised accounts.
In nearly five hours of videos, an ITG18 operator searching through and exfiltrating data from various compromised accounts of a member of the US Navy and a personnel officer with nearly two decades of service in Hellenic Navy.
The video files uncovered by IBM X-Force IRIS were desktop recordings using a tool called Bandicam, ranging from two minutes to two hours.
The timestamps of the files indicated the videos were recorded approximately one day prior to being uploaded to the ITG18-operated server.
“Using these accounts could allow the operator to obtain other data on military operations of potential interest to Iran,”the IBM researcher said on Thursday.
Some of the operator-owned accounts observed in the training videos provided additional insight into personas associated with ITG18, such as phone numbers with Iranian country codes.
IBM X-Force IRIS observed the “Yahoo.avi” video displayed profile details for a fake persona, “which we will reference as ‘Persona A’ including a phone number with a +98 country code, the international country code for Iran.
Other suggestions of an Iranian operator behind ‘Persona A’ included unsuccessful attempts to send emails to an Iranian American philanthropist, and potentially two personal email accounts for US State Department officials in April 2020, including one report that was associated with the US Virtual Embassy to Iran.
“The recording appeared to show bounce-back emails in the operator’s inbox, notifying them that these possible spear-phishing emails did not go through, though we do not know the theme. The targeting of these individuals is in line with prior ITG18 operations,”said Wikoff
ITG18 has been active since at least 2013.
The hallmarks of this group’s activity include credential harvesting and email compromise operations through phishing attacks against numerous targets of strategic interest to the Iranian government.