A state-sponsored hacking group linked to Iran accidentally exposed one of its servers, giving researchers access to roughly 40 GB of videos and other files associated with the threat actor’s operations.
The server, discovered in May by researchers at IBM X-Force Incident Response Intelligence Services (IRIS), belonged to a group tracked as ITG18, Charming Kitten, Phosphorous, APT35, and NewsBeef. The device, which hosted many domains used by the hackers, was accessible for three days due to a basic misconfiguration.
Researchers analyzed the files found on the server and uncovered nearly five hours of training videos recorded by the group’s members. Some of the videos showed viewers how to exfiltrate data from various online accounts, including contacts, images and files from associated cloud storage services.
ITG18, which has been active since at least 2011, has been known to target a wide range of entities, including the World Health Organization (WHO), government agencies, journalists, activists, and even presidential campaigns.
Some of the videos uncovered by IBM on the exposed server showed successful attacks against a member of the U.S. Navy and an officer in the Hellenic Navy, the naval force of Greece. The videos showed that the hackers managed to collect a significant amount of information on the two targets, including media files, personal information, and financial details, and they hacked tens of the victims’ online accounts.
“IBM X-Force IRIS did not find evidence of the two military members’ professional network credentials being compromised, and no professional information appears to have been included,” IBM said in a blog post. “However, it’s possible that the threat actor was searching for specific information within the military members’ personal files that would allow ITG18 to extend their cyber espionage operation further into the U.S. and Greek Navy.”
In addition to the two Navy members, the exposed files showed that Charming Kitten has targeted an Iranian-American philanthropist and officials in the U.S. Department of State. However, these attempts apparently failed.
IBM researchers pointed out that the hackers did not appear to bother attempting to access accounts protected by two-factor authentication.
In some cases, the individuals filming the training videos appeared to use accounts they created and in some instances a phone number with the +98 country code (the country code for Iran) was visible, enforcing the belief that ITG18 is likely operating out of Iran.
“Regardless of motivation, mistakes by the ITG18 operator allowed IBM X-Force IRIS to gain valuable insights into how this group might accomplish action on its objectives and otherwise train its operators,” IBM said. “IBM X-Force IRIS considers ITG18 a determined threat group with a significant investment in its operations. The group has shown persistence in its operations and consistent creation of new infrastructure despite multiple public disclosures and broad reporting on its activity.”
Last year, Microsoft reported that it took control of 99 domains used by ITG18 after filing a lawsuit against the hackers over their use of domains that mimicked services from Microsoft and other companies.
Related: Source Code of Iran-Linked Hacking Tools Posted Online