Iranian threat group ITG18 known for targeting pharmaceutical companies and the U.S. presidential campaigns. IBM referred to the group as ITG18, whereas the other security firms refer to as APT35 or Charming Kitten.
The group found to be active since 2013, the group is known for conducting sophisticated phishing attacks.
Training Video Exposed
IBM X-Force Incident Response Intelligence Services (IRIS) found a server associated with ITG18 associates that have more than 40 gigabytes of training video and other data.
An OPSEC failure with ITG18 operator exposes the inner working of threat actors and a way to have “a unique behind-the-scenes look into their methods, and potentially, their legwork for a broader operation.”
The training videos mainly focused on creating accounts, operator testing access, and exfiltrating data from the compromised accounts.
Based on video files timestamps, the video’s found to be recorded approximately one day before being uploaded to the ITG18-operated server.
In the video, operators explain “how to exfiltrate various datasets associated with these platforms including contacts, photos, and associated cloud storage.”
“Some of the operator-owned accounts observed in the training videos provided additional insight into personas associated with ITG18, such as phone numbers with Iranian country codes.”
The videos also contain failed phishing attempts of targeting the personal accounts of an Iranian-American philanthropist and officials of the U.S. State Department.
The videos also exposed the persona accounts and Iranian phone numbers associated with ITG18 operators.
Based on the training materials it appears the operators are looking to gather trivial social information about the individuals.
To note: If the threat actors successfully authenticated against a site and if they have multifactor authentication (MFA) they stop the process and move on to other accounts.
The discovery shows the importance of Using Multifactor Authentication, Reset Your Passwords Periodically & using a Password Manager.
You can follow us on Linkedin, Twitter, Facebook for daily Cybersecurity and hacking news updates.
