Trove of Iranian How to Hack Videos and Data Found by IBM on Cloud Server
Iranian state sponsored hackers left a treasure trove data unsecured in cloud storage. The cache of information included hacker training videos and information stolen in cyber attacks. The 40GB of data offers insights into the methodology used in Iranian cyber attacks against US targets. The threat actors, known as ITG18, are believed to be behind cyber attacks on presidential campaigns.
IBM cyber security researchers say the data was obtained over a three-day period in mid-May 2020. The data was found on a misconfigured cloud service known to be controlled by an Iranian Advanced Persistent Threat Group, APT35. The data included videos of compromised accounts belonging to an enlisted person in the United States Navy as well as an account belonging to an officer in the Hellenic Navy. Phishing attempts against the US Department of State personnel are also documented.
Advanced Persistent Threat Group APT35
The hacking group carries the moniker ITG18 – also known as Advanced Persistent Threat Groups 35, APT35, Charming Kitten, and Phosphorous. These threat actors are known for targeting US presidential campaigns, US government officials, and pharmaceutical companies. ITG18 has been active since at least 2013. Trademarks of their malicious cyber operations include email compromise attacks , credential harvesting, and attacks against targets of interest to Iran’s government.
“In the past few weeks, ITG18 has been associated with targeting of pharmaceutical companies and the U.S. presidential campaigns,” says the report by Allison Wikoff, Strategic Cyber Threat Analyst, IBM Security.
- 10 Tactics Iranian Hackers Use to Attack the United States
- US DHS Warns Iranian Cyberattack Could Damage Critical Infrastructure
- Cyberwarfare with Iran
- Iranian Hacker Website Targets US Veterans with Malware
- Iranian Hackers Target LinkedIn Users with Malware Attack
- US Cyber Command Warns of Iranian Cyber Attack on MS Outlook
Five Hours of How-to-Hack Videos
Within the almost five hours of videos, the threat actors are seen searching through and exfiltrating data from several compromised accounts belonging to an enlisted member of the U.S. Navy. Stolen personal information included the sailor’s residence, personal photos, and tax records. The actors downloaded everything from a personal cloud storage site
The Iranian threat actors also videoed a compromised account belonging to an officer in the Hellenic Navy who has almost 20 years of service. Similar information was exfiltrated. The threat actor in the video verified account login credentials for all online accounts associated with the two compromised Navy personnel’s accounts. The hacker validated credentials for about 75 different websites across the two individuals.
If the hacker was challenged by mutlifactor authentication, they gave up and moved on.
The Hacker videos showed:
- Phishing attempts targeting at the personal accounts of an Iranian American philanthropist which ultimately bounced
- Phishing attempts against U.S. State Department officials which also bounced
- Fake online personas and phone numbers with Iranian country codes used by ITG18 hackers
- How to videos detailing the steps to exfiltrating contacts from compromised email accounts including AOL, Yahoo, and Gmail
- Management of threat actor created accounts
One of the videos also showed the hacker deleting suspicious login notifications found in compromised email accounts.
The tranche of hacker data was swiped by IBM’s X-Force Incident Response Intelligence Services (IRIS). The cyber security researchers Stated that timestamps in the videos indicate they were recorded in May 2020 just before the data was uploaded to the misconfigured server.
From the compromised accounts, the threat actor:
• Downloaded email account contacts
• Exported photos, documents from associated cloud storage sites – like Google Drive
• Exfiltrated Google Account information such as location history, Chrome web browser data, as well as data from synced Android devices
“Some target types of ITG18 have remained consistent over the past three years while others appear associated with specific geopolitical events. For instance, while ITG18 has consistently targeted individuals with an Iranian connection over the past three years, says the report by IBM.
How to Protect Yourself from Hackers
The report recommends the following actions to protect your personal and work online accounts.
- Use multifactor authentication (MFA) – The videos show a threat actor moving on when presented with a multifactor authentication challenge. Using MFA can help protect your account because the hacker needs additional access, like authentication from a connected device, they cannot obtain easily.
- Use a Password Manager – The Iranian threat actors exported information and gained access to other online accounts from passwords stored in compromised web browsers. When you use a password manager, it helps you create strong passwords that are unique for every online account. The passwords are encrypted and stored so they cannot be harvested from Chrome saved passwords feature or in other web browsers that store passwords for users. Try this app from Password Keeper.
- Review settings – Review settings on all of your devices. User accounts and apps should never be granted and higher permissions than absolutely necessary to carry out their tasks. Don’t grant admin access to accounts that don’t really need it. If a hacker can compromise login credentials, they may be able to move around your device or compromise the network the device is connected to.
- Limit access to third-party apps from your email – Many online services and social media apps offer easy log in by connecting other online accounts. For example, you can use your Gmail to log into Pinterest, Spotify, or other online services. If your Gmail account is compromised as seen in these videos, the hacker can easily access your other connected accounts. Use a unique email and password combination for all online accounts. A quality password manager app can securely store your login credentials.