Iranian Spies Accidentally Leaked Videos of Themselves Hacking

Iranian Spies Accidentally Leaked Videos of Themselves Hacking ...
wired.com 17/07/2020 Internet-IT

Keywords:#American, #Donald_Trump, #Gmail, #Google, #Greek, #Iran, #Iran-backed, #Iranian, #Iranian-American, #Kitten, #President, #State_Department, #Trump, #US, #WIRED, #Wired.com, #Yahoo

IBM’s X-Force security team obtained five hours of APT35 hacking operations, showing exactly how the group steals data from email accounts—and who it’s targeting.
When security researchers piece together the blow-by-blow of a state-sponsored hacking operation, they're usually following a thin trail of malicious code samples, network logs, and connections to faraway servers. That detective work gets significantly easier when hackers record what they’re doing and upload the video to an unprotected server on the open internet. Which is precisely what a group of Iranian hackers may have unwittingly done.
Researchers at IBM’s X-Force security team revealed today that they've obtained roughly five hours of video footage that appears to have been recorded directly from the screens of hackers working for a group IBM calls ITG18, and which other security firms refer to as APT35 or Charming Kitten. It's one of the most active state-sponsored espionage teams linked to the government of Iran. The leaked videos were found among 40 gigabytes of data that the hackers had apparently stolen from victim accounts, including US and Greek military personnel. Other clues in the data suggest that the hackers targeted US State Department staff and an unnamed Iranian-American philanthropist.
The IBM researchers say they found the videos exposed due to a misconfiguration of security settings on a virtual private cloud server they'd observed in previous APT35 activity. The files were all uploaded to the exposed server over a few days in May, just as IBM was monitoring the machine. The videos appear to be training demonstrations the Iran-backed hackers made to show junior team members how to handle hacked accounts. They show the hackers accessing compromised Gmail and Yahoo Mail accounts to download their contents, as well as exfiltrating other Google-hosted data from victims.
This sort of data exfiltration and management of hacked accounts is hardly sophisticated hacking. It's more the kind of labor-intensive but relatively simple work that's necessary in a large-scale phishing operation. But the videos nonetheless represent a rare artifact, showing a first-hand view of state-sponsored cyberspying that's almost never seen outside of an intelligence agency.
"We don't get this kind of insight into how threat actors operate really ever," says Allison Wikoff, a senior analyst at IBM X-Force whose team discovered the videos. "When we talk about observing hands-on activity, it’s usually from incident-response engagements or endpoint monitoring tools. Very rarely do we actually see the adversary on their own desktop. It's a whole other level of 'hands-on-keyboard' observation."
In two videos IBM showed to WIRED on the condition that they not be published, the hackers demonstrate the workflow for siphoning data out of a hacked account. In one video, the hacker logs into a compromised Gmail account—a dummy account for the demonstration—by plugging in credentials from a text document, and links it to the email software Zimbra, designed to manage multiple accounts from a single interface, using Zimbra to download the account's entire inbox to the hacker's machine. Then the hacker quickly deletes the alert in the victim's Gmail that says their account permissions have been changed. Next the hacker downloads the victim's contacts and photos from their Google account too. A second video shows a similar workflow for a Yahoo account.
The most telling element of the video, Wikoff says, is the speed the hacker demonstrates in exfiltrating the accounts' information in real time. The Google account's data is stolen in around four minutes. The Yahoo account takes less than three minutes. In both cases, of course, a real account populated with tens or hundreds of gigabytes of data would take far longer to download. But the clips demonstrate how quickly that download process is set up, Wikoff says, and suggest that the hackers are likely carrying out this sort of personal data theft on a mass scale. "To see how adept they are at going in and out of all these different webmail accounts and setting them up to exfiltrate, it is just amazing," says Wikoff. "It’s a well-oiled machine."
In some cases, IBM's researchers could see in the video that the same dummy accounts were also themselves being used to send phishing emails, with bounced emails to invalid addresses appearing in the accounts' inboxes. The researchers say those bounced emails revealed some of the APT35 hackers' targeting, including American State Department staff as well as an Iranian-American philanthropist. It's not clear if either target was successfully phished. The dummy Yahoo account also briefly shows the phone number linked with it, which begins with Iran's +98 country code.
In other videos the IBM researchers declined to show to WIRED, the researchers say the hackers appeared to be combing through and exfiltrating data from real victims' accounts, rather than ones they created for training purposes. One victim was a member of the US Navy, and another was a two-decade veteran of the Greek Navy. The researchers say the APT35 hackers appear to have stolen photos, emails, tax records, and other personal information from both targeted individuals.
In some clips, the researchers say they observed the hackers working through a text document full of usernames and passwords for a long list of non-email accounts, from phone carriers to bank accounts, as well as some as trivial as pizza delivery and music-streaming services. "Nothing was off-limits," Wikoff says. The researchers note that they didn't see any evidence that the hackers were able to bypass two-factor authentication, however. When an account was secured with any second form of authentication, the hackers simply moved on to the next one on their list.
The sort of targeting that IBM's findings reveal fits with previous known operations tied to APT35, which has carried out espionage on behalf of Iran for years, most often with phishing attacks as its first point of intrusion. The group has focused on government and military targets that represent a direct challenge to Iran, such as nuclear regulators and sanctions bodies. More recently it has aimed its phishing emails at pharmaceutical companies involved in Covid-19 research and President Donald Trump's reelection campaign.
--- ---
...

Read more from Source »

Related articles based on keyword density
Media Scam? Iran and America Join Hands in Waging “The Global War on T...
globalresearch.ca 01/07/2014 Politics
By Prof Michel Chossudovsky Global Research, June 21, 2014 Following the incursion of jihadist rebels of the Islamic State of Iraq and the Levant (IS...View Details»

Iranian-American State Department official demoted after Breitbart que...
rawstory.com 22/04/2017 Military
By David Ferguson 21 Apr 2017 at 16:29 ET *** Career State Department official Sahar Nowrouzzadeh (Facebook.com) A longtime State Department off...View Details»

Taking heat, US officials defend $400M cash payment to Iran...
yahoo.com 20/08/2016 News
*** FILE - In this Oct. 23, 2015 file-pool photo, Secretary of State John Kerry, speaks to senior adviser John Kirby before a news conference in Vienn...View Details»

Pentagon says US airstrike killed powerful Iranian general...
msn.com 03/01/2020 Military
By QASSIM ABDUL-ZAHRA, Associated Press The Pentagon said Thursday that the U.S. military has killed Gen. Qassem Soleimani, the head of Iran’s elite...View Details»

Iranian Commander Soleimani Killed in US Airstrike in Baghdad...
bloomberg.com 03/01/2020 Military
U.S. Says Airstrike Against Iranian Thwarted ‘Imminent Attack’ By Jennifer Jacobs , Zaid Sabah , and Nick Wadhams January 3, 2020, 5:22 AM GMT+3:3...View Details»


EOF