Researchers at IBM X-Force Incident Response Intelligence Services (IRIS) discovered an unsecured server belonging to Iran-linked APT35 group (aka ITG18, Charming Kitten, Phosphorous, and NewsBeef) containing data for many domains managed by the threat actor.
The server was reachable for three days, giving the opportunity to the researchers to analyze its content.
“Now, due to operational errors—a basic misconfiguration—by suspected ITG18 associates, a server with more than 40 gigabytes of data on their operations has been analyzed by X-Force IRIS analysts.” reads the analysis published by IBM.
The experts found several files on the server, roughly five hours of training videos recorded by the APT group.
Some of the videos were showing how to exfiltrate data (i.e. contacts, images, and files) from various online accounts associated cloud storage services.
Some of the videos show successful attacks against a member of the U.S. Navy and an officer in the Hellenic Navy, the naval force of Greece. The hackers collected a significant amount of information from both targets.
Iran-linked Charming Kitten group, (aka APT35, Phosphorus, Newscaster, and Ajax Security Team) made the headlines in 2014 when experts at iSight issued a report describing the most elaborate net-based spying campaign organized by Iranian hackers using social media.
Microsoft has been tracking the threat actors at least since 2013, but experts believe that the cyberespionage group has been active since at least 2011.
The group has been known to target a wide range of organizations and government agencies worldwide.
“IBM X-Force IRIS did not find evidence of the two military members’ professional network credentials being compromised, and no professional information appears to have been included.” continues IBM. “However, it’s possible that the threat actor was searching for specific information within the military members’ personal files that would allow ITG18 to extend their cyber espionage operation further into the U.S. and Greek Navy.”
Some of the leaked files showed that the APT35 group has also targeted an Iranian-American philanthropist and officials in the U.S. Department of State. Fortunately, in both cases, the operations conducted by the group failed.
Other videos demonstrate that the hackers of the APT35 group were not attempting to validate credentials against sites that were set up with multifactor authentication.
IBM X-Force experts noticed that video displayed profile details for a fake persona used for the attack (referenced as “Persona A”) including a phone number with a +98 country code that is assigned to Iran.
“Regardless of motivation, mistakes by the ITG18 operator allowed IBM X-Force IRIS to gain valuable insights into how this group might accomplish action on its objectives and otherwise train its operators,” IBM concluded. “IBM X-Force IRIS considers ITG18 a determined threat group with a significant investment in its operations. The group has shown persistence in its operations and consistent creation of new infrastructure despite multiple public disclosures and broad reporting on its activity.”
(SecurityAffairs – hacking, APT35)