• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
  • Skip to footer
  • Jobs
  • Career
    • Cyber Security Training
    • Work from Home
    • Cyber Security Analyst
    • Remote Work – Six Ways to Keep Your Data Safe When Working Remotely
  • Field Guide
  • Newsletter Signup
  • Deals
  • News
AskCyberSecurity.com

AskCyberSecurity.com

Cyber Security News & Information

  • Home
  • Data Privacy
    • Gamers
    • Government Cyber Security
      • Legislation
      • Standards
        • What are the risks of computer security?
        • Medical Cyber Security
    • Social Media
  • Security
    • Data Breaches
    • Scams
    • Malware
  • Software
    • Apps
    • Web Browsers
  • Glossary
    • Cyber Security Acronyms
  • About Ask Cyber Security
    • Authors
    • Contact Us
  • VPN
    • How Do I Know If My VPN is Working?
    • Best Free VPN iPhone
    • Why Use a VPN?
    • NordVPN vs IPVanish
    • Private Internet Access Download
    • Best VPN for Streaming
      • TikTok VPN
    • VPN Porn
    • Computer Security Software – What You Really Need
  • Tutorials
  • ChatGPT
    • Does ChatGPT Save Data?
AskCyber Home » News » News » Iran State Hacker Intelligence Swiped by IBM

Iran State Hacker Intelligence Swiped by IBM

2020-07-17 by Michelle Dvorak

Iran State Hacker Videos

Trove of Iranian How to Hack Videos and Data Found by IBM on Cloud Server

Iranian state sponsored hackers left a treasure trove data unsecured in cloud storage. The cache of information included hacker training videos and information stolen in cyber attacks. The 40GB of data offers insights into the methodology used in Iranian cyber attacks against US targets. The threat actors, known as ITG18, are believed to be behind cyber attacks on presidential campaigns.

IBM cyber security researchers say the data was obtained over a three-day period in mid-May 2020. The data was found on a misconfigured cloud service known to be controlled by an Iranian Advanced Persistent Threat Group, APT35. The data included videos of compromised accounts belonging to an enlisted person in the United States Navy as well as an account belonging to an officer in the Hellenic Navy.  Phishing attempts against the US Department of State personnel are also documented.

Advanced Persistent Threat Group APT35

The hacking group carries the moniker ITG18 – also known as Advanced Persistent Threat Groups 35, APT35, Charming Kitten, and Phosphorous. These threat actors are known for targeting US presidential campaigns, US government officials, and pharmaceutical companies. ITG18 has been active since at least 2013. Trademarks of their malicious cyber operations include email compromise attacks , credential harvesting, and attacks against targets of interest to Iran’s government.

“In the past few weeks, ITG18 has been associated with targeting of  pharmaceutical companies and the U.S. presidential campaigns,” says the report by Allison Wikoff, Strategic Cyber Threat Analyst, IBM Security.

RELATED READS:

  • 10 Tactics Iranian Hackers Use to Attack the United States
  • US DHS Warns Iranian Cyberattack Could Damage Critical Infrastructure
  • Cyberwarfare with Iran
  • Iranian Hacker Website Targets US Veterans with Malware
  • Iranian Hackers Target LinkedIn Users with Malware Attack
  • US Cyber Command Warns of Iranian Cyber Attack on MS Outlook

Five Hours of How-to-Hack Videos

Within the almost five hours of videos, the threat actors are seen searching through and exfiltrating data from several compromised accounts belonging to an enlisted member of the U.S. Navy. Stolen personal information included the sailor’s residence, personal photos, and tax records. The actors downloaded everything from a personal cloud storage site

The Iranian threat actors also videoed a compromised account belonging to an officer in the Hellenic Navy who has almost 20 years of service. Similar information was exfiltrated. The threat actor in the video verified account login credentials for all online accounts associated with the two compromised Navy personnel’s accounts. The hacker validated credentials for about 75 different websites across the two individuals.

If the hacker was challenged by mutlifactor authentication, they gave up and moved on.

Hacker Videos

The Hacker videos showed:

  • Phishing attempts targeting at the personal accounts of an Iranian American philanthropist which ultimately bounced
  • Phishing attempts against U.S. State Department officials which also bounced
  • Fake online personas and phone numbers with Iranian country codes used by ITG18 hackers
  • How to videos detailing the steps to exfiltrating contacts from compromised email accounts including AOL, Yahoo, and Gmail
  • Management of threat actor created accounts

One of the videos also showed the hacker deleting suspicious login notifications found in compromised email accounts.

The tranche of hacker data was swiped by IBM’s X-Force Incident Response Intelligence Services (IRIS). The cyber security researchers Stated that timestamps in the videos indicate they were recorded in May 2020 just before the data was uploaded to the misconfigured server.

Shop HP Now

From the compromised accounts, the threat actor:

• Downloaded email account contacts
• Exported photos, documents from associated cloud storage sites – like Google Drive
• Exfiltrated Google Account information such as location history, Chrome web browser data, as well as data from synced Android devices

“Some target types of ITG18 have remained consistent over the past three years while others appear associated with specific geopolitical events. For instance, while ITG18 has consistently targeted individuals with an Iranian connection over the past three years, says the report by IBM.

How to Protect Yourself from Hackers

The report recommends the following actions to protect your personal and work online accounts.

  • Use multifactor authentication (MFA)  – The videos show a threat actor moving on when presented with a multifactor authentication challenge. Using MFA can help protect your account because the hacker needs additional access, like authentication from a connected device,  they cannot obtain easily.
  • Use a Password Manager – The Iranian threat actors exported information and gained access to other online accounts from passwords stored in compromised web browsers. When you use a password manager, it helps you create strong passwords that are unique for every online account. The passwords are encrypted and stored so they cannot be harvested from Chrome saved passwords feature or in other web browsers that store passwords for users. Try this app from Password Keeper.
  • Review settings – Review settings on all of your devices. User accounts and apps should never be granted and higher permissions than absolutely necessary to carry out their tasks. Don’t grant admin access to accounts that don’t really need it. If a hacker can compromise login credentials, they may be able to move around your device or compromise the network the device is connected to.
  • Limit access to third-party apps from your email – Many online services and social media apps offer easy log in by connecting other online accounts. For example, you can use your Gmail to log into Pinterest, Spotify, or other online services. If your Gmail account is compromised as seen in these videos, the hacker can easily access your other connected accounts. Use a unique email and password combination for all online accounts. A quality password manager app can securely store your login credentials.

 

Filed Under: News Tagged With: Iran

About Michelle Dvorak

Michelle writes about cyber security, data privacy focusing on social media privacy as well as how to protect your IoT devices. She has worked in internet technology for over 20 years and owns METRONY, LLC. Michelle earned a B.S. in Engineering from Rensselaer Polytechnic Institute. Michelle published a guide to Cyber Security for Business Travelers


LinkedInTwitterFacebook

Primary Sidebar

Subscribe to Our Free Newsletter

We Don't Share or Sell Your Info

Web Browsers

Where Are My Saved Passwords in Chrome?

Google Removes 70 Malicious Browser Add-ons from Chrome Web Store

Firefox 75 Reports Your Browser Settings to Mozilla

Categories

Cyber Security Field Guide

Computer Security While TravelingGet Our Cyber Security Field Guide - Available on Amazon!

Recent Posts

Security Marketing Manager – Remote

Sr. Associate, Cybersecurity Architect – Pfizer

Strategic Customer Success Manager – Cybersecurity – Opportunity for Working Remotely

Top 20 Passwords Leaked on Dark Web

ISU Cybersecurity Leader Job Opening

Cyber Security News

Top 20 Passwords Leaked on Dark Web

… [Read More...] about Top 20 Passwords Leaked on Dark Web

Apple Warns of Actively Exploited Zero-Day Flaw

… [Read More...] about Apple Warns of Actively Exploited Zero-Day Flaw

IRS Stops Facial Recognition System for Online Access

… [Read More...] about IRS Stops Facial Recognition System for Online Access

National Cybersecurity Alliance Announces Data Privacy Week

… [Read More...] about National Cybersecurity Alliance Announces Data Privacy Week

More Cyber Security News

Tags

amazon Android Apple bitcoin China chrome CISA credit card DarkSide DHS DOJ Equifax Europe Facebook facial recognition FBI Firefox FTC games GDPR Google Government hacker identity theft India iPhone Iran IRS LinkedIn Microsoft North Korea PayPal phishing phishing email ransomware REvil Russia smartphone T-Mobile TikTok tutorial VPN WhatsApp WiFi Windows

Government

CBP Looks to Access Airline Passenger Data

FTC Releases Cyber Threat Video Playlist

Malware Found on US Government Funded Phones

UK NCA Reaches Out to Youth to Deter Cybercrimes

More Posts from this Category

Footer

Menu

  • Home
  • About
  • Authors
  • Newsletter Signup
  • PRIVACY POLICY

Search

Why Use a VPN?

NordVPN vs IPVanish VPN Review

NAVIGATION

  • Data Breaches
  • Data Privacy
  • Gamers
  • Scams
  • Malware

MEMBER NJCCIC

New Jersey Cybersecurity & Communications Integration Cell

STAY CONNECTED

  • Facebook
  • Instagram
  • Pinterest
  • YouTube
  • Twitter
  • RSS

Copyright © 2023 · AskCyberSecurity.com · METRONY, LLC

Go to mobile version