IBM X-Force Incident Response Intelligence Services (IRIS) security researchers have compiled approximately 40 GB of videos and other files of the leading Iranian hacking community.
The data archive detected by IBM X-Force research teams contained about 5 hours of video training, which seems to have directly been recorded from screens of hackers operating on behalf of the government group it calls ITG18 (or APT35) associated with the targeting of pharmaceutical companies and the presidential US campaign. This is the only way to obtain information from IBM X-Force IRIS researchers.
During the threeday time period from May 2020, in a server hosting various ITG18 domains that were used in earlier 2020, IBM X-Force IRIS discovered the 40GBs of video and data files.
“It is rarely possible to understand how the operator operates behind the keyboard, and there are still more rare recordings showing its operations generated by the operator. However, that’s precisely what IRIS uncovered by X-Force on an ITG18 operator who has a unique backstage review of its methods and possibly its legacy for a broader operation that is likely to be underway, ” said Wikoff, a strategic cyber threat analyst at IBM Security.
Several of the victims used compromised accounts from a US lawmaker in the files. The Navy and a staff officer with almost two decades of service in Greece’s Hellenic Navy. It also included failed attempts at phishing against an anonymous Iranian-American Philanthropist’s personal stories and against the US. Officials of the State Department.
“Several of the videos showed the adversary accounts user, while others showed the access tester and exchanging data from previously compromised accounts,” the researchers said.
The video files that IBM X-Force IRIS found were remote recordings that ranged from 2 minutes to 2 hours using a device named Bandicam. The file timestamps suggested the videos were captured roughly one day before being uploaded to the server run by ITG18.
The user uses a Notepad file containing one credential for each platform in five of the video files called “AOL.avi,” “Aol Contact.avi,” “Gmail.avi,” “Yahoo.avi,” “Hotmail.avi,” and video-by-video copied and pasted it to the corresponding website. The operator went on to show how different databases associated with these sites, including addresses, images, and related cloud storage, could be ex-filtrated.
The operator also updated the settings within each account ‘s account protection section and added them to Zimbra, a legal platform for email collaboration that can merge multiple email accounts into one gui. With Zimbra the operator was able to simultaneously track and handle separate compromised email accounts.
Other operator accounts contained in the training videos provided a further description of people affiliated with ITG18, such as Iranian country code telephone numbers.
“Whatever the motivation, the ITG18 operator’s mistakes have enabled IBM X-Force IRIS to gain valuable insights into how this group could achieve its goals and train its operators elsewhere. IBM X-Force IRIS sees ITG18 as a potential threat group with substantial investment in its operations, “the researchers noted.
“Despite numerous public disclosures and extensive coverage of its activities, the organization has shown continuity in its operations and clear construction of new infrastructures.”