Risk analysts hit the cyber intel mother lode following uncovering a 40GB facts leak that involved training videos shedding gentle on the routines of an Iranian state-of-the-art persistent danger group.
In a company blog post this 7 days, IBM X-Pressure Incident Reaction Intelligence Expert services (IRIS) said that the leaked assets had been the outcome of an OPSEC mistake on the element of an operator belonging to the menace group recognized as ITG18, whose TTPs overlap with fellow reputed Iranian ATPs Charming Kitten and Magic Hound (aka Phosphorous and Rocket Kitten). IRIS identified the contents in May perhaps 2020, as the operator uploaded the information to a server acknowledged to host ITG18 domains, in accordance to the publish, authored by IBM analysts Allison Wikoff and Richard Emerson.
The video clip footage is made up of a series of desktop recordings, and involves an ITG18 operator exfiltrating info from a U.S. Navy member and a Hellenic Navy officer, and launching unsuccessful phishing attempts versus the U.S. Condition Office. Perhaps most critical for regulation enforcement investigations: the video clips display personas and Iranian phone numbers apparently joined to the risk group’s associates.
Impression capture of ITG18 operator desktop by IBM Security.
At just one level, the operator also demonstrates how to exfiltrate information affiliated with AOL, Gmail, Hotmail and Yahoo – which include contacts, shots and associated cloud storage, IBM described.
The hacking of the U.S. and Hellenic Navy members was a typical representation of how ITG18 actors engage use phishing attacks to engage in credential harvesting and email compromise functions against targets of strategic fascination to Iran, the site article notes. It seems from the video that the APT was able to acquire the victims’ qualifications for their individual email and social media accounts.
IBM said the operator “exported all account contacts, pictures, files from linked cloud storage sites, such as Google Drive” and signed into victims’ Google Takeout for the purpose of exfiltrating Google account information this sort of as site history, Chrome browser data and connected Android products.
“Amongst the individual files exfiltrated on the U.S. Navy enlisted member had been particulars on the army device they had been related with which includes the Naval foundation they were being affiliated with,” Wikoff and Richard Emerson documented. “The operator collected a sizeable volume of personal facts about this target like presumed home particular photos which includes quite a few selfies and a video of a household getting staged tax records and the contents of a personal cloud storage web site.”