Threat analysts hit the cyber intel mother lode after uncovering a 40GB data leak that included training videos shedding light on the activities of an Iranian advanced persistent threat group.

In a company blog post this week, IBM X-Force Incident Response Intelligence Services (IRIS) said that the leaked assets were the result of an OPSEC error on the part of an operator belonging to the threat group known as ITG18, whose TTPs overlap with fellow reputed Iranian ATPs Charming Kitten and Magic Hound (aka Phosphorous and Rocket Kitten). IRIS discovered the contents in May 2020, as the operator uploaded the files to a server known to host ITG18 domains, according to the post, authored by IBM analysts Allison Wikoff and Richard Emerson.

The video footage consists of a series of desktop recordings, and includes an ITG18 operator exfiltrating data from a U.S. Navy member and a Hellenic Navy officer, and launching unsuccessful phishing attempts against the U.S. State Department. Perhaps most important for law enforcement investigations: the videos show personas and Iranian phone numbers apparently linked to the threat group's members.

Please register to continue.

Already registered? Log in.

Once you register, you'll receive:

  • News analysis

    The context and insight you need to stay abreast of the most important developments in cybersecurity. CISO and practitioner perspectives; strategy and tactics; solutions and innovation; policy and regulation.

  • Archives

    Unlimited access to nearly 20 years of SC Media industry analysis and news-you-can-use.

  • Daily Newswire

    SC Media’s essential morning briefing for cybersecurity professionals.

  • Learning Express

    One-click access to our extensive program of virtual events, with convenient calendar reminders and ability to earn CISSP credits.