One of Iran's top hacking groups has left one server exposed online, in which IBM security investigators found videos showing hackers "in action". Researchers consider these videos to be lessons in hacking techniques used by Iranian hackers to train "new recruits". The videos were recorded with a screen recording application called BandiCam, which proves that they were deliberately pulled and not accidentally pulled by operators infected by the malware their. The videos show Iranian hackers performing various tasks, showing the techniques that recruits hackers must follow to breach a victim's account, using a list of violators. credentials. The accounts e-mail were the primary targets of hackers, with social media accounts also being accessible, in cases where the credentials of the target account were compromised.
The researchers report that this is a meticulous and well-thought-out process, with operators having access to every account of a targeted victim, no matter how important his or her online profile was. The accounts accessed included, inter alia, the accounts held by the alleged victim for music and video streaming, delivery, credit reporting, banks, video-games and mobile phone companies.
Iranian hackers entered the settings of each account and searched for personal information that may not be included in other online accounts, in an attempt to create as complete a profile as possible for each target. IBM does not detail how the hackers obtained the credentials for each victim. Therefore, it is not clear whether the hackers had infected the targets with malware or whether they had purchased the credentials from an "underground" market.
In some of the videos, Iranian hackers show techniques for stealing data from each account. This includes extracting all contacts of the target account, photos and documents from related services in cloud storage such as Google Drive. IBM researchers point out that in some cases, operators also had access to Google Takeout to extract information such as its full content Google Their account, including location history, information from Chrome and connected Android devices.
Operators then added the victim's email credentials to one Zimbra instance operated by the Iranian team, which would allow hackers to remotely monitor multiple accounts from one backend panel. Other videos also show the operators creating puppet email accounts, which IBM researchers believe the hackers will use for future attacks.
In addition, investigators say they have identified some of the victims' accounts depicted in videos leaked by Iranian hackers. These include a member of their Navy USA and a Greek Navy officer.
The videos also show failed attempts to access target accounts, such as those of State Department officials. The videos in which the account breach attacks failed, mainly concern accounts that use two-factor authentication (2FA).
The researchers say that the server on which they found all these videos was part of the infrastructure of the attack of an Iranian group called ITG18, but is better known by the names Charming Kitten, Phosphorous and APT35. It is one of the most active hacking groups funded by Iran. Some of the group's most recent campaigns include attacks on a US presidential campaign in 2020, as well as US pharmaceutical companies, during the pandemic COVID-19.
Previous campaigns ITG18 / APT35 have also targeted US military, financial regulators and nuclear scientists as sectors that have attracted Iranian interest due to growing military tensions between the two countries, economic sanctions imposed on Iran, and of Iran's nuclear program.