Prominently known since 2014, the government-backed Iranian hackers, accidentally exposed their stealth method hacking process due to a glitch on the security imposed on its cloud virtual private storage. Known as ITG18 (also called Charming Kitten, Phosphorous, or APT35), they specialize in gathering intelligence and espionage targeting the United States and Middle Eastern high ranking officials from military, diplomats, financial businesses, and telecommunications group.
Locked on 40GB storage, the leaked information is consisting of 5-hour videos and stolen data of the group that is being used to teach other adversaries the modus of operations used by the Iranian hackers.
It showed the activity of using the group’s tools in penetrating victims’ devices by using stolen credentials, also included in the leaked information. As seen in the video, they initiated their attack through the Business Email Compromise method by sending multiple emails to the targeted victim. Some may embed codes on the attachment or by using compromised legit apps that a victim may agree to install on their devices through an open authentication system.
Cybersecurity experts that exposed the leakage confirmed the Iranian hackers were able to see a long list of stolen credentials for 75 websites ranging from victims that are working from financial institutions, videos and music streaming accounts, and other trivial sectors. It also presents instruction and documentation, which includes on exfiltrating Google drives to steal photos, contacts, documents, and other sensitive data. Upon exfiltration, they can transfer this information to their controlled storage through compromised Google Takeout accounts that let them efficiently do the data delivery. More stealthily, is that the report also shows the video that it can bypass the multi-level security of authentication imposed on many system protocols of fallen victim and deletion of the alert on notifying the victim of suspicious login to avoid detection.
As speculated, the gathered intelligence were the prominent names and businesses that were mentioned on the list for espionage. Though they are already leaked in public, the group’s ingenuity in innovating their method for more lethal penetration has also been observed in the video.
With the exposure of the stealth method of this well-known cyber threat group, this will provide a better insight to many cybersecurity experts to review its content to devising a countermeasure to further strengthened the imposed security on their each managed networks. As recommended, it is better to start to have a tighter credential management system and app/software installation restriction to avoid spear-phishing penetration that can lead this fraudster ease of access to its targeted network.
