Security Experts:

Connect with us

Hi, what are you looking for?



Iran-Linked Hackers Accidentally Exposed 40 GB of Their Files

A state-sponsored hacking group linked to Iran accidentally exposed one of its servers, giving researchers access to roughly 40 GB of videos and other files associated with the threat actor’s operations.

A state-sponsored hacking group linked to Iran accidentally exposed one of its servers, giving researchers access to roughly 40 GB of videos and other files associated with the threat actor’s operations.

The server, discovered in May by researchers at IBM X-Force Incident Response Intelligence Services (IRIS), belonged to a group tracked as ITG18, Charming Kitten, Phosphorous, APT35, and NewsBeef. The device, which hosted many domains used by the hackers, was accessible for three days due to a basic misconfiguration.

Researchers analyzed the files found on the server and uncovered nearly five hours of training videos recorded by the group’s members. Some of the videos showed viewers how to exfiltrate data from various online accounts, including contacts, images and files from associated cloud storage services.

ITG18, which has been active since at least 2011, has been known to target a wide range of entities, including the World Health Organization (WHO), government agencies, journalists, activists, and even presidential campaigns.

Some of the videos uncovered by IBM on the exposed server showed successful attacks against a member of the U.S. Navy and an officer in the Hellenic Navy, the naval force of Greece. The videos showed that the hackers managed to collect a significant amount of information on the two targets, including media files, personal information, and financial details, and they hacked tens of the victims’ online accounts.

“IBM X-Force IRIS did not find evidence of the two military members’ professional network credentials being compromised, and no professional information appears to have been included,” IBM said in a blog post. “However, it’s possible that the threat actor was searching for specific information within the military members’ personal files that would allow ITG18 to extend their cyber espionage operation further into the U.S. and Greek Navy.”

In addition to the two Navy members, the exposed files showed that Charming Kitten has targeted an Iranian-American philanthropist and officials in the U.S. Department of State. However, these attempts apparently failed.

IBM researchers pointed out that the hackers did not appear to bother attempting to access accounts protected by two-factor authentication.

In some cases, the individuals filming the training videos appeared to use accounts they created and in some instances a phone number with the +98 country code (the country code for Iran) was visible, enforcing the belief that ITG18 is likely operating out of Iran.

“Regardless of motivation, mistakes by the ITG18 operator allowed IBM X-Force IRIS to gain valuable insights into how this group might accomplish action on its objectives and otherwise train its operators,” IBM said. “IBM X-Force IRIS considers ITG18 a determined threat group with a significant investment in its operations. The group has shown persistence in its operations and consistent creation of new infrastructure despite multiple public disclosures and broad reporting on its activity.”

Last year, Microsoft reported that it took control of 99 domains used by ITG18 after filing a lawsuit against the hackers over their use of domains that mimicked services from Microsoft and other companies.

Related: Source Code of Iran-Linked Hacking Tools Posted Online

Related: Leak Reveals Activity of Iranian Hacking Group

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.