OPSEC mistake exposed APT35 hacking operations
Iranian-backed hackers accidentally exposed 40 GB of data including video footage of themselves conducting hacking operations due to a misconfiguration of security settings on a virtual private cloud server.
Because of this mistake, the researchers from IBM X-Force Incident Response Intelligence Services (IRIS) team have been able to sneak a peak into the hacking methods of the ITG18 hacker group (aka APT35 or Charming Kitten).
APT35, which has been active since at least 2013, primarily targets individuals and entities of strategic interest to the Iranian government using phishing attacks and email compromise operations.
In May IRIS discovered the 40 GBs of data files being uploaded to a server monitored by the researchers that hosted numerous APT35 domains previously observed in other campaigns of the group. The data, which was apparently stolen from victim accounts, including US and Greek military personnel, contained nearly five hours of videos showing a hacker “searching through and exfiltrating data from various compromised accounts of a member of U.S. Navy and a personnel officer with nearly two decades of service in Hellenic Navy.” Other clues in the data suggest that APT35 also targeted an Iranian-American philanthropist and officials of the U.S. State Department.
The uncovered videos appear to be training demonstrations on how to handle hacked accounts. They show the hackers accessing compromised Gmail and Yahoo Mail accounts to download their contents, as well as exfiltrating other Google-hosted data from victims.
“In five of the video files, named “AOL.avi”, “Aol Contact.avi”, “Gmail.avi”, “Yahoo.avi”, “Hotmail.avi”, the operator uses a Notepad file containing one credential for each platform, and video-by-video copied and pasted them into the associated website. The operator moved on to demonstrate how to exfiltrate various datasets associated with these platforms including contacts, photos, and associated cloud storage,” the report said.
The attacker then added the hacked accounts to Zimbra, a collaborative platform that includes an email server and a web client, by modifying settings within the security section of each account, which allowed the hacker to monitor and manage various compromised email accounts simultaneously.
Three of the discovered clips revealed that the group had managed to breach a number of accounts associated with an enlisted member of the United States Navy as well as an officer in the Hellenic Navy. Upon gaining access to accounts, the hacker deleted notifications sent to the compromised accounts alerting of suspicious logins so as to not alarm victims.
“Regardless of motivation, mistakes by the ITG18 operator allowed IBM X-Force IRIS to gain valuable insights into how this group might accomplish action on its objectives and otherwise train its operators. IBM X-Force IRIS considers ITG18 a determined threat group with a significant investment in its operations,” the researchers noted.
“The group has shown persistence in its operations and consistent creation of new infrastructure despite multiple public disclosures and broad reporting on its activity.”