Open secret: Iranian spies accidentally leak videos of themselves showing how to hack and steal data from email accounts
- A video of Iranian-backed hackers training other hackers was accidentally uploaded
- The images showed hackers combing through email accounts and copying data
- The footage was noticed by IBM’s X-Force security team and shared with Wired
- The rare insight into hacking has been compared to a poker player showing his hand
A group of Iranian hackers has been caught red-handed and shows how to hack into email accounts and steal data.
Investigators from IBM’s X-Force security team obtained approximately five hours of video footage that appears to have been shot directly from hackers’ screens.
The hackers work for a group called IBM ITG18 that other security companies call APT35 or Charming Kitten.
The group is one of the most active state-sponsored espionage teams associated with the government of Iran.
“Things like this are a rare win for the defenders,” said Emily Crose, a former NSA employee who now works as a security researcher for the Dragos industrial security system.
“It’s like playing poker and your opponents putting their entire hand flat on the table in the middle of the last flop.”
Investigators from IBM’s X-Force security team discovered the Iran-backed hack from May
The leaked videos seen through Wiredwere found between 40 gigabytes of data that the hackers apparently stole from victim accounts, including US and Greek military personnel.
The data also suggested that the hackers attacked the personnel of the United States Department of State and an unnamed Iranian-American philanthropist.
The files were all accidentally uploaded to an exposed server in May, just as IBM checked the machine.
The videos appear to be training demonstrations created by Iranian-backed hackers to show junior team members how to deal with hacked accounts.
They show that hackers can access compromised Gmail and Yahoo Mail accounts to download their content and transfer other Google-hosted data from victims.
Cyber security experts said the exposition of Iranians at work was unprecedented.
“We never get this kind of insight into how threat actors really work,” said Allison Wikoff, a senior analyst at IBM X-Force whose team discovered the videos.
She told Wired, “When we talk about observing hands-on activities, it’s usually because of incident response engagements or endpoint monitoring tools.
“Very rarely do we actually see the opponent on his own desktop. It is a completely different level of ‘hands-on-keyboard’ observation. ”
Emails were hacked into Yahoo and Google accounts and the data was transferred within minutes
ITG18, also known as APT35 or Charming Kitten, is one of the most active state-sponsored espionage teams associated with the government of Iran
The researchers say the APT35 hackers seem to have stolen photos, emails, tax records, and other personal information from both of those targeted.
In some clips, the researchers say they have seen the hackers work with a text document full of usernames and passwords for a long list of non-email accounts, from phone company to bank accounts.
Wikoff said they were surprised at how quickly the hackers worked.
Google account data was stolen in about four minutes, and a Yahoo account took less than three minutes.
“To see how adept they are at getting in and out of all these different webmail accounts and setting them up to exfiltrate, it’s just great,” she said.
“It’s a well-oiled machine.”
However, they did not expect their findings to prevent the group from hacking.