Iranian Spies Accidentally Leaked Videos of Themselves Hacking

[Karlston]

Iranian Spies Accidentally Leaked Videos of Themselves Hacking 

IBM's X-Force security team obtained five hours of APT35 hacking operations, showing exactly how the group steals data from email accounts—and who it's targeting.

 

 

When security researchers piece together the blow-by-blow of a state-sponsored hacking operation, they're usually following a thin trail of malicious code samples, network logs, and connections to faraway servers. That detective work gets significantly easier when hackers record what they’re doing and then upload the video to an unprotected server on the open internet. Which is precisely what researchers at IBM say a group of Iranian hackers did.

 

Researchers at IBM's X-Force security team revealed today that they've obtained roughly five hours of video footage that appears to have been recorded directly from the screens of hackers working for a group IBM calls ITG18, and which other security firms refer to as APT35 or Charming Kitten. It's one of the most active state-sponsored espionage teams linked to the government of Iran. The leaked videos were found among 40 gigabytes of data that the hackers had apparently stolen from victim accounts, including US and Greek military personnel. Other clues in the data suggest that the hackers targeted US State Department staff and an unnamed Iranian-American philanthropist.

 

The IBM researchers say they found the videos exposed due to a misconfiguration of security settings on a virtual private cloud server they'd observed in previous APT35 activity. The files were all uploaded to the exposed server over a few days in May, just as IBM was monitoring the machine. The videos appear to be training demonstrations the Iran-backed hackers made to show junior team members how to handle hacked accounts. They show the hackers accessing compromised Gmail and Yahoo Mail accounts to download their contents, as well as exfiltrating other Google-hosted data from victims.

 

This sort of data exfiltration and management of hacked accounts is hardly sophisticated hacking. It's more the kind of labor-intensive but relatively simple work that's necessary in a large-scale phishing operation. But the videos nonetheless represent a rare artifact, showing a first-hand view of state-sponsored cyberspying that's almost never seen outside of an intelligence agency.

 

"We don't get this kind of insight into how threat actors operate really ever," says Allison Wikoff, a senior analyst at IBM X-Force whose team discovered the videos. "When we talk about observing hands-on activity, it’s usually from incident response engagements or endpoint monitoring tools. Very rarely do we actually see the adversary on their own desktop. It's a whole other level of 'hands-on-keyboard' observation."

 

In two videos IBM showed to WIRED on the condition that they not be published, the hackers demonstrate the workflow for siphoning data out of a hacked account. In one video, the hacker logs into a compromised Gmail account—a dummy account for the demonstration—by plugging in credentials from a text document, and links it to the email software Zimbra, designed to manage multiple accounts from a single interface, using Zimbra to download the account's entire inbox to the hacker's machine. Then the hacker quickly deletes the alert in the victim's Gmail that says their account permissions have been changed. Next the hacker downloads the victim's contacts and photos from their Google account, too. A second video shows a similar workflow for a Yahoo account.

A screenshot from a leaked video of Iranian hackers demonstrating how to exfiltrate emails from a Yahoo account using the email management tool Zimbra.Screenshot: IBM

The most telling element of the video, Wikoff says, is the speed the hacker demonstrates in exfiltrating the accounts' information in real-time. The Google account's data is stolen in around four minutes. The Yahoo account takes less than three minutes. In both cases, of course, a real account populated with tens or hundreds of gigabytes of data would take far longer to download. But the clips demonstrate how quickly that download process is set up, Wikoff says, and suggest that the hackers are likely carrying out this sort of personal data theft on a mass scale. "To see how adept they are at going in and out of all these different webmail accounts and setting them up to exfiltrate, it is just amazing," says Wikoff. "It’s a well-oiled machine."

 

In some cases, IBM's researchers could see in the video that the same dummy accounts were also themselves being used to send phishing emails, with bounced emails to invalid addresses appearing in the accounts' inboxes. The researchers say those bounced emails revealed some of the APT35 hackers' targeting, including American State Department staff as well as an Iranian-American philanthropist. It's not clear if either target was successfully phished. The dummy Yahoo account also briefly shows the phone number linked with it, which begins with Iran's +98 country code.

 

In other videos the IBM researchers declined to show to WIRED, the researchers say the hackers appeared to be combing through and exfiltrating data from real victims' accounts, rather than ones they created for training purposes. One victim was a member of the US Navy, and another was a two-decade veteran of the Greek Navy. The researchers say the APT35 hackers appear to have stolen photos, emails, tax records, and other personal information from both targeted individuals.

A file directory on an unsecured server used by the APT35 hackers, listing accounts whose data they had stolen.Screenshot: IBM

In some clips, the researchers say they observed the hackers working through a text document full of usernames and passwords for a long list of non-email accounts, from phone carrier to bank accounts, as well as some as trivial as pizza delivery and music streaming services. "Nothing was off-limits," Wikoff says. The researchers note that they didn't see any evidence that the hackers were able to bypass two-factor authentication, however. When an account was secured with any second form of authentication, the hackers simply moved on to the next one on their list.

 

The sort of targeting that IBM's findings reveal fits with previous known operations tied to APT35, which has carried out espionage on behalf of Iran for years, most often with phishing attacks as its first point of intrusion. The group has focused on government and military targets that represent a direct challenge to Iran, such as nuclear regulators and sanctions bodies. More recently it has aimed its phishing emails at pharmaceutical companies involved in Covid-19 research and President Donald Trump's reelection campaign.

 

It's hardly unprecedented for hackers to accidentally leave behind revealing tools or documents on an unsecured server, points out former NSA staffer Emily Crose, who now works as a security researcher for industrial control system security firm Dragos. But Crose says she's not aware of any public instance of actual videos of state-sponsored hackers' own operations being left for investigators, as in this case. And given that the hacked accounts likely also contain evidence of how they were compromised, she says the leaked videos may well force the Iranian hackers to change some of their tactics. "This kind of thing is a rare win for the defenders," Crose says. "It's like playing poker, and having your opponents lay their entire hand out flat on the table in the middle of the last flop."

 

Even so, IBM says it doesn't expect its discovery of the APT35 videos to slow down the pace of the hacking group's operations. After all, it had nearly a hundred of its domains seized by Microsoft last year. "They simply rebuilt and kept going," says Wikoff. If that sort of infrastructure purge didn't slow down the Iranians, she says, don't expect a bit of video-leaked exposure to, either.

 

 

Iranian Spies Accidentally Leaked Videos of Themselves Hacking

 

[cosy]

HAHAHAHA

It is a shame, if this was the case.

These boys should learn and know how to be smart enough, if they deserve the definition of what they are doing.

[Karlston]

Iranian state hackers caught with their pants down in intercepted videos

IBM researchers steal 40GB of data from group targeting presidential campaigns.

Enlarge / The flag of the Islamic Republic of Iran.

92 with 51 posters participating

Iranian state hackers got caught with their pants down recently when researchers uncovered more than 40GB of data, including training videos showing how operatives hack adversaries’ online accounts and then cover their tracks.

 

The operatives belonged to ITG18, a hacking group that overlaps with another outfit alternatively known as Charming Kitten and Phosphorous, which researchers believe also works on behalf of the Iranian government. The affiliation has long targeted US presidential campaigns and US government officials. In recent weeks, ITG18 has also targeted pharmaceutical companies. Researchers generally consider it a determined and persistent group that invests heavily in new tools and infrastructure.

 

In May, IBM’s X-Force IRIS security team obtained the 40GB cache of data as it was being uploaded to a server that hosted multiple domains known to be used earlier this year by ITG18. The most telling contents were training videos that captured the group’s tactics, techniques, and procedures as group members performed real hacks on email and social media accounts belonging to adversaries.

 

Included in the footage was:

• Almost five hours of video showing operators searching through and exfiltrating data from multiple compromised accounts belonging to two people, one a member of the US Navy and the other a seasoned personnel officer in the Hellenic Navy.
• Failed phishing attempts that targeted US State Department officials and an Iranian American philanthropist. The failures were the result of emails bouncing because they appeared suspicious.
• Online personas and Iranian phone numbers used by group members.

The haul of data is a potential intelligence coup because it allows researchers (and presumably US officials) to identify the strengths and weaknesses of an adversary that is steadily improving its hacking talent. Defenders can then improve protections designed to keep the attackers out. The bird’s-eye view may also have signaled plans for future ITG18 operations.

A rare opportunity

“Rarely are there opportunities to understand how the operator behaves behind the keyboard, and even rarer still are there recordings the operator self-produced showing their operations,” IBM researchers Allison Wikoff and Richard Emerson wrote in a post published Thursday. “But that is exactly what X-Force IRIS uncovered on an ITG18 operator whose OPSEC failures provide a unique behind-the-scenes look into their methods, and potentially, their legwork for a broader operation that is likely underway.”

 

The videos were shot using a desktop recording tool called Bandicam and ranged from two minutes to two hours. Timestamps indicated the videos were recorded a day or so before they were uploaded. Five of the videos showed operators pasting passwords into compromised accounts and then demonstrating how to efficiently exfiltrate contacts, photos, and other data stored there and in associated cloud storage.

Enlarge / An ITG18 operator desktop from a Bandicam recording.

IBM X-Force IRIS

The footage also showed the settings that group members changed in the security configurations of each compromised account. The changes allowed the hackers to connect some of the accounts to Zimbra, an email collaboration program that can aggregate multiple accounts into a single interface. Using Zimbra made it possible to manage hacked email accounts simultaneously.

Enlarge / An image capture of an ITG18 operator syncing a persona account to Zimbra.

BM X-Force IRIS

Three other videos revealed that the operators had compromised several accounts associated with an enlisted member of the US Navy and an officer in the Hellenic Navy. ITG18 members had credentials for what appear to be their personal email and social media accounts. In many cases, the hackers deleted emails notifying the targets that there had been suspicious logins to their accounts.

Painstaking detail

The attackers also accessed files showing the military units the Navy personnel were in, their naval base, residence, personal photos and videos, and tax records. The operators methodically combed through targets’ other accounts, including those on video-streaming sites, pizza-delivery services, credit-reporting agencies, mobile carriers, and more.

 

“The operators appear to have been meticulously gathering trivial social information about the individuals,” the IBM researchers wrote. “In total, the operator attempted to validate credentials for at least 75 different websites across the two individuals.

 

Other videos displayed the Iran-based phone number and other profile details for a fake persona ITG18 members used in their operations. The video also revealed attempts to send phishing emails to the Iranian American philanthropist and two possible State Department officials.

 

Another potentially useful discovery: when operators used a password to successfully gain initial access to an account that was protected by multifactor authentication, they would proceed no further. That suggests that Charming Kitten’s previously revealed ability to bypass multifactor authentication is limited.

 

The behind-the-scenes account IBM obtained demonstrates the double-edged sword that’s wielded by espionage hackers. While their operations often yield useful information on their targets, the targets can also turn that around in Spy vs. Spy fashion.

 

 

Iranian state hackers caught with their pants down in intercepted videos

 

[cosy]

Unbelievable, isn't it?

I can't believe what I'm reading, and these guys are supposed to be professionals, trying to spy? 😊😃

[Karlston]

1 hour ago, cosy said:

I can't believe what I'm reading, and these guys are supposed to be professionals, trying to spy? 😊😃

 

Reminds me a bit of the old Get Smart TV series.