The trove of videos was identified by IBM’s X-Force researchers but it is unclear whether it will be shared with the public or not.
According to a report from the X-Force Incident Response Intelligence Services (IRIS) of IBM, an OPSEC error led to the leaking of several videos that demonstrate the modus operandi of the Iranian hackers.
The researchers obtained roughly five hours-worth of exclusive footages, which the hackers used to train their junior team members regarding operating hacked email accounts.
One of the videos shows hackers accessing hacked Yahoo Mail and Gmail accounts, downloading their content, and exfiltrating additional Google-hosted data from the victims.
It all makes sense as in December 2018, Charming kitten hackers were found bypassing Gmail and Yahoo’s 2FA (two-factor authentication) to target US officials.
Some footages show hackers managing “adversary-created accounts,” while in others, they are merely accessing/exfiltrating data from already hacked accounts.
The videos also reveal that the hackers could access social media accounts of their targets via spear-phishing [PDF]. Though the techniques aren’t as sophisticated as we might expect, however, the videos do offer a first-hand view of how state-sponsored hackers operate.
Moreover, the researchers obtained Bandicam’s screen-recording tool’s data, which demonstrated that the hackers linked their target’s credentials to Zimbra email software for monitoring/managing the compromised email accounts.
Zimbra allows the management of multiple accounts through one interface and can download the entire inbox to the device. Using Zimbra, the hackers could log in to their victims’ accounts, delete suspicious login notifications, and steal contacts, documents, and photos from Google Drive.
As stated by a senior analyst at IBM’s X-Force, Allison Wikoff,
“We don’t get this kind of insight into how threat actors operate really ever. Very rarely do we actually see the adversary on their own desktop. It’s a whole other level of ‘hands-on-keyboard’ observation.”
It is worth noting that the videos got exposed due to a virtual private cloud’s security settings’ misconfiguration. The data was uploaded on the exposed server during May, at a time when IBM was monitoring the machine.
ITG18 is amongst the most active state-backed espionage groups currently operating in the cyberspace. The videos were seemingly recorded directly from the hackers’ screens, and IBM states that it has obtained the videos from a database of stolen data.
The database contained around 40Gb of hacked data, mainly belonging to Greek and US military employees, which hints on the fact that the US State Department employees were the target of hackers, along with an Iranian-American humanitarian. That’s because some of the accounts shown in the leaked videos belong to Greek and US Navy staff.
The hackers also created a long list of hacked usernames and passwords against as many as 75 different websites from pizza delivery services and music and video streaming platforms to retail outlets and even banks.
“During the videos where the operator was validating victim credentials if the operator successfully authenticated against a site that was set up with multi-factor authentication (MFA), they paused and moved on to another set of credentials without gaining access,” IBM researchers said in their blog post.
We recommend that you secure all of your accounts with unique passwords and enable two-factor authentication, and limit access to other apps as much as possible to prevent them from hacking.