Exposed Hacking Training Videos Provide Insight Into Hacking Ops
A state-sponsored hacking group linked to Iran has been caught red-handed, demonstrating how to break into email accounts and steal sensitive data.
The group accidentally exposed one of its servers, which gave researchers at IBM’s X-Force Incident Response Intelligence Services (IRIS) security team access to five hours of video footage, amounting to more than 40GB. It also appears that the videos have been recorded directly from the screens of hackers.
This comes in close proximity to the event where U.S. authorities charged two Chinese hackers, who allegedly went on a hacking spree, targeting systems of government and individual dissidents, hundreds of companies and COVID-19 researchers.
The researchers discovered the server in May and found out that it belonged to a group tracked as ITG18, Charming Kitten, Phosphorus, APT35 and NewsBeef. A basic misconfiguration resulted in the device, which also hosted many domains used by the hackers, being accessible for three days.
Who Is ITG18 and Who Did the Group Attack?
It’s speculated that the ITG18 has been active since 2011. The group’s target list includes entities including the World Health Organization (WHO) and President Donald Trump’s 2020 re-election campaign, as well as several activists, journalists and government agencies.
Some of the videos on the exposed server showed successful attacks against a member of the U.S. Navy and an officer in the Hellenic Navy, the naval force of Greece. The videos also uncovered how hackers got undetected access to a significant amount of information that included personal information, media files and financial details.
The hacking activities were recorded through BandiCam, a screen-recording app. The researchers think that the video content was recorded to train new recruits.
Decoding the 40GB Hacking Footage
IBM researchers discovered five videos with the straightforward names Gmail.avi, AOL.avi, Aol Contact.avi, Yahoo.avi and Hotmail.avi.
Each one of these videos clearly demonstrated how the hacking group used stolen credentials from different email platforms and social media accounts. Recruits could then exfiltrate data sets from these accounts.
In one video, researchers noted how an attacker was engaging in an unsuccessful phishing attempt by targeting the email accounts of an unnamed Iran-American philanthropist, two U.S. State Department officials and an account that was associated with the U.S. Virtual Embassy of Iran. The video recorded bounce-back emails in the operator’s inbox, which indicates that these possible spear-phishing emails didn’t go through.
The nature of this phishing email is somewhat similar to the SamSam Ransomware attack that targeted computer networks of corporations, universities, hospitals and government agencies across the globe.
This isn’t very surprising, as the U.S. Treasury recently designated two Iran-based financial facilitators, Ali Khorashadizadeh and Mohammed Ghorbaniyan, in relation to the attacks. The organization identified them through their digital currency addresses that had been operational since 2013. The other three videos showed how the ITG18 hackers were successful in compromising the security of accounts belonging to the U.S. and greek naval officers.
Interestingly, the operator was following the same steps that were shown in generic training videos involving personal accounts. Once the operator gained access to the victims’ account, he then quickly deleted notifications suggesting suspicious logins to not alert the victims.
The operator then proceeded to export contacts, documents and photos from various cloud storage sites including Google Drive. Some videos also showed the hackers were successful in bypassing two-factor authentication, demonstrating that thsi measure isn’t a silver bullet when it comes to foolproof account protection.
Researchers also found the hackers obtained other inconsequential information such as student financial aid, baby products, video games and even their pizza delivery schedule.
All the obtained information together could help the operators create more precise targeting of the victim.
Security Measures Need to Be Amped Up
The hackers got hold of critical data such as Chrome logins, personal photographs, location data and more. Iran could use all this information to figure out military bases and could even procure sensitive government operations if the victim was less than careful with their operational security.
This also gives the hacking group more intelligence on the victim’s employer, which could either be a private entity or a government organization.
Avoid the Hacking
All the videos shed light on how the hackers got access to a trove of information through the victims’ Google accounts. While maintaining a secure and anonymous presence when surfing online does help, you still have to be more careful.
Here are a few tips to curb such attacks by boosting the security of your email:
Avoid Clicking on Suspicious Links in Email or Texts
Hackers are always sending links that contain malware through email or text. Since these look pretty legitimate, many users end up clicking on it, unaware that they have just compromised their security.
A good rule of thumb is to never click on these links directly. Instead, open another tab and go to the website of the company in the link. Find out whether any of the presented information matches with the official source.
Use a Password Manager and Two-Factor Authentication
Despite the ongoing debate about their security, passwords are still relevant in today’s time. You should use a password manager to change all your online passwords, with every login having unique and strong ones.
Hackers use a tactic known as credential stuffing, wherein they cram previously stolen usernames and passwords into as many online services as possible.
Two-factor authentication also helps add an additional layer of security, reducing the likelihood of unauthorized password resets considerably.
Use a Strong and Reputable Antivirus
Installing a good antivirus increases your chances of securing your private information with real-time security from phishing attacks and threats. This includes all forms of cyberattacks, including ransomware, malware, SQL injections, DDos attacks and so on.
Secure Your Wi-Fi and Router
Whether you‘re a small business owner, freelancer or the CEO of a large-sized company, it’s crucial to identify who and what is on your network to prevent unauthorized access. Make sure you change the admin password for your router and keep updating your Wi-Fi password periodically, setting it to something that isn’t easy to crack.
Use a VPN on Your Computer and Your Phone
A virtual private network (VPN) gives you the flexibility to encrypt your internet connections by staying anonymous whenever you’re online. VPNs accomplish this through encryption protocols such as PPTP, IKEv2 and L2TP. Moreover, using a VPN can make your browsing experience even better, restricting the number of ads and tracking and, of course, giving you greater peace of mind.
Having said this, the possibility of getting hacked will always be there even after taking the above measures. In case you do end up becoming a victim of cybercrime, work on restoring a sense of normalcy by taking all the necessary cleanup and mitigation steps. Remember, taking quick actions can go a long way.
Conclusion
This cold war between American and Iranian spies has been going on for more than a decade. But the accidental leak of ITG18’s hacking tutorial does give key insights that can help governments all over the world to strengthen their existing security systems.
And not only state-sponsored groups, but many independent hackers have also become very active amidst the ongoing pandemic with many businesses reporting a surge in these attacks. Take matters in your own hands and prioritize your system’s security at all times.
