Published in News

IBM watches Iranian hacker training video

by on17 July 2020


Five hours of footage

Security experts at IBM’s X-Force security team have obtained roughly five hours of video footage that appears to have been recorded directly from the screens of hackers working for a group IBM calls ITG18, and which other security firms refer to as APT35 or Charming Kitten.

For those who came in late, the group is  one of the most active state-sponsored espionage teams linked to the Iranian government.

The leaked videos were found among 40 gigabytes of data that the hackers had stolen from victim accounts, including US and Greek military personnel. Other clues in the data suggest that the hackers targeted US State Department staff and an unnamed Iranian American philanthropist.

The IBM researchers say they found the videos exposed due to a misconfiguration of security settings on a virtual private cloud server they'd observed in previous APT35 activity.

The files were all uploaded to the exposed server over a few days in May, just as IBM was monitoring the machine.

The videos appear to be training demonstrations the Iran-backed hackers made to show junior team members how to handle hacked accounts.

They show the hackers accessing compromised Gmail and Yahoo Mail accounts to download their contents, as well as exfiltrating other Google-hosted data from victims.

Details are not cutting edge hacking and are mostly how to handle a large-scale phishing operation.

The hackers demonstrate the workflow for siphoning data out of a hacked account. In one video, the hacker logs into a compromised Gmail account—a dummy account for the demonstration—by plugging in credentials from a text document, and links it to the email software Zimbra, designed to manage multiple accounts from a single interface, using Zimbra to download the account's entire inbox to the hacker's machine. Then the hacker quickly deletes the alert in the victim's Gmail that says their account permissions have been changed. Next the hacker downloads the victim's contacts and photos from their Google account too. A second video shows a similar workflow for a Yahoo account.

IBM X-Force senior analyst Allison Wikoff said that security experts rarely get to see how threat actors operate.

“When we talk about observing hands-on activity, it’s usually from incident-response engagements or endpoint monitoring tools. Very rarely do we actually see the adversary on their own desktop. It's a whole other level of 'hands-on-keyboard' observation."

IBM showed two videos to Wired on the condition that they not be published,

Last modified on 17 July 2020
Rate this item
(0 votes)

Read more about: