One of Iran’s top hacking groups has left a server exposed online where security researchers say they found a trove of screen recordings showing the hackers in action.
Discovered by IBM’s X-Force cyber-security division, researchers believe the videos are tutorials the Iranian group was using to train new recruits.
According to X-Force analysts, the videos were recorded with a screen-recording app named BandiCam, suggesting they were recorded on purpose and not accidentally by operators who got infected by their own malware.
The videos showed Iranian hackers performing various tasks and included steps on how to hijack a victim’s account using a list of compromised credentials.
Email accounts were primary targets, but social media accounts were also accessed if compromised account credentials were available for the target.
X-Force described the process as meticulous, with operators accessing each and every victim account, regardless of how unimportant the online profile.
This included accessing a victim’s accounts for video and music streaming, pizza delivery, credit reporting, student financial aid, municipal utilities, banks, baby product sites, video games, and mobile carriers, according to IBM X-Force. In some cases, operators validated credentials for at least 75 different websites across two individuals, they said.
Hackers accessed each account’s settings section and searched for private information that might not be included in other online accounts as part of their efforts to build a profile as complete as possible about each target.
IBM didn’t detail how the hackers obtained the credentials for each victim. It is unclear if the operators had infected the targets with malware that dumped passwords from their browsers, or if the operators had bought the credentials off the underground market.
In other videos, the operator also went through the steps to exfiltrate data from each account. This included exporting all account contacts, photos, and documents from associated cloud storage sites, such as Google Drive.
X-Force researchers say that in some cases, the operators also accessed a victim’s Google Takeout utility to export details such as the full content of their Google Account, including location history, information from Chrome, and associated Android devices.
When all was done, the operators also added the victim’s email credentials to a Zimbra instance operated by the Iranian group, which would allow the hackers to remotely monitor multiple accounts from one backend panel.
Other videos also showed the operators engaged in creating puppet email accounts that X-Force researchers believe the hackers would use for future operations.
X-Force says it was able to identify and later notify some of the victim accounts portrayed in the videos, which included an enlisted member of the United States Navy, as well as an officer in the Greek Navy.
The videos also showed failed attempts to access target accounts, such as the accounts of US State Department officials.
The videos where the account compromise attacks failed were usually for accounts that used two-factor authentication (2FA), researchers said in a report shared with ZDNet this week.
X-Force researchers said the server where they found all these videos was part of the attack infrastructure of an Iranian group they have been tracking as ITG18, but more commonly known as Charming Kitten, Phosphorous, and APT35.
The group has been one of Iran’s most active state-sponsored hacking crews. Some of the group’s more recent campaigns include attacks against a 2020 US presidential campaign but also US pharmaceutical executives during the COVID-19 pandemic.
Past ITG18/APT35 campaigns have also targeted US military, US financial regulators, and US nuclear researchers — areas of interest for the Iranian state due to the mounting military tensions between the two countries, the economic sanctions imposed on Iran, and Iran’s expanding nuclear program.