You are the news now


VOTE  (0)  (0)

Iranian Spies Accidentally Leaked a Video of Themselves Hacking

Added 07-16-20 06:06:03am EST - “IBM's X-Force security team obtained five hours of APT35 hacking operations, showing exactly how the group breaks into email accounts” -


Posted By TheNewsCommenter: From “Iranian Spies Accidentally Leaked a Video of Themselves Hacking”. Below is an excerpt from the article.

When security researchers piece together the blow-by-blow of a state-sponsored hacking operation, they're usually following a thin trail of malicious code samples, network logs, and connections to faraway servers. That detective work gets significantly easier when hackers record what they’re doing and then upload the video to an unprotected server on the open internet. Which is precisely what researchers at IBM say a group of Iranian hackers did.

Researchers at IBM's X-Force security team revealed today that they've obtained roughly five hours of video footage that appears to have been recorded directly from the screens of hackers working for a group IBM calls ITG18, and which other security firms refer to as APT35 or Charming Kitten. It's one of the most active state-sponsored espionage teams linked to the government of Iran. The leaked videos were found among 40 gigabytes of data that the hackers had apparently stolen from victim accounts, including US and Greek military personnel. Other clues in the data suggest that the hackers targeted US State Department staff and an unnamed Iranian-American philanthropist.

The IBM researchers say they found the videos exposed due to a misconfiguration of security settings on a virtual private cloud server they'd observed in previous APT35 activity. The files were all uploaded to the exposed server over a few days in May, just as IBM was monitoring the machine. The videos appear to be training demonstrations the Iran-backed hackers made to show junior team members how to handle hacked accounts. They show the hackers accessing compromised Gmail and Yahoo Mail accounts to download their contents, as well as exfiltrating other Google-hosted data from victims.

This sort of data exfiltration and management of hacked accounts is hardly sophisticated hacking. It's more the kind of labor-intensive but relatively simple work that's necessary in a large-scale phishing operation. But the videos nonetheless represent a rare artifact, showing a first-hand view of state-sponsored cyberspying that's almost never seen outside of an intelligence agency.

"We don't get this kind of insight into how threat actors operate really ever," says Allison Wikoff, a senior analyst at IBM X-Force whose team discovered the videos. "When we talk about observing hands-on activity, it’s usually from incident response engagements or endpoint monitoring tools. Very rarely do we actually see the adversary on their own desktop. It's a whole other level of 'hands-on-keyboard' observation."


If you don't see any comments yet, congrats! You get first comment. Be nice and have fun.