Threat analysts hit the cyber intel mother lode after uncovering a 40GB data leak that included training videos shedding light on the activities of an Iranian advanced persistent threat group.
In a company blog post this week, IBM X-Force Incident Response Intelligence Services (IRIS) said that the leaked assets were the result of an OPSEC error on the part of an operator belonging to the threat group known as ITG18, whose TTPs overlap with fellow reputed Iranian ATPs Charming Kitten and Magic Hound (aka Phosphorous and Rocket Kitten). IRIS discovered the contents in May 2020, as the operator uploaded the files to a server known to host ITG18 domains, according to the post, authored by IBM analysts Allison Wikoff and Richard Emerson.
The video footage consists of a series of desktop recordings, and includes an ITG18 operator exfiltrating data from a U.S. Navy member and a Hellenic Navy officer, and launching unsuccessful phishing attempts against the U.S. State Department. Perhaps most important for law enforcement investigations: the videos show personas and Iranian phone numbers apparently linked to the threat group's members.
At one point, the operator also shows how to exfiltrate data associated with AOL, Gmail, Hotmail and Yahoo – including contacts, photos and associated cloud storage, IBM reported.
The hacking of the U.S. and Hellenic Navy members was a typical representation of how ITG18 actors engage use phishing attacks to engage in credential harvesting and email compromise operations against targets of strategic interest to Iran, the blog post notes. It appears from the video that the APT was able to obtain the victims' credentials for their personal email and social media accounts.
IBM said the operator “exported all account contacts, photos, documents from associated cloud storage sites, such as Google Drive” and signed into victims’ Google Takeout for the purpose of exfiltrating Google account data such as location history, Chrome browser info and associated Android devices.
“Amongst the personal files exfiltrated on the U.S. Navy enlisted member were details on the military unit they were associated with including the Naval base they were affiliated with,” Wikoff and Richard Emerson reported. “The operator collected a significant amount of personal information about this victim including presumed residence; personal photos including numerous selfies and a video of a home being staged; tax records; and the contents of a personal cloud storage site.”