I Watched a Training Video for Iranian Hackers

I may not be ready to work for a state-sponsored hacking group, but at Black Hat, I learned some surprising things about how these groups operate.

By Max Eddy

Security researchers generally don’t discuss the little mistakes hackers make, and they never show hacking group training videos. But that’s exactly what happened at this year’s Black Hat, where a pair of researchers examined the eccentricities of an Iranian hacking group.

In 2020, Black Hat became an entirely remote conference due to the ongoing COVID-19 pandemic. This year, it’s a hybrid conference, with in-person events for attendees as well as online options for remote participants. PCMag is attending remotely.

A Not So Charming Kitten

IBM X-Force Senior Strategic Cyber Threat Analyst Allison Wikoff and X-Force Senior Threat Hunt Analyst Richard Emerson focused their research on a group known as IBM Threat Group 18 (ITG18), which has been referred to by other names by different organizations, such as Phosphorus and Charming Kitten.

The team has been keeping tabs on the group for well over a year. They believe ITG18 to be based in Iran and that its list of accomplishments is long and worrisome. ITG18 has gone after the usual targets—nuclear scientists and politicians—but also journalists and individuals working on COVID-19 vaccines. From these targets, ITG18 was able to obtain emails, photos, and even chat logs, the researchers said.

But they make mistakes, too. “Like anyone, the operators of ITG18 aren’t perfect,” said Emerson.

Those imperfections gave Wikoff and Emerson remarkable insight into the group. The pair discovered that ITG18 routinely left servers and directories open, allowing the researchers to pore over the data the group retrieved, as well as the tools they used. It also revealed some of the group’s more unusual quirks.

For instance, attackers typically want to keep their targets a secret. ITG18, on the other hand, had a document labeled “Targets” that included names and phone numbers. This, said Emerson, was not a best practice.

It’s definitely a best practice to keep your software up to date, to protect against attacks. Emerson and Wikoff discovered that ITG18 had failed to do so and had been hit with ransomware as a result. “We saw a nation-state operator’s infrastructure get ransomeware’d due to bad security practices,” said Wikoff. “God, I love my job when things like this happen.”

Mandatory Training

The most surprising discovery the researchers made was over four hours of videos, including tutorials prepared to train new ITG18 members. It’s a reflection of the professionalization of nation-state hacking that something as mundane as required training videos exist for professional bad guys.

The videos shown at Black Hat began with a dark Windows desktop. Wikoff explained that each starts with the presenter turning on a piece of recording software called Bandicam. Wikoff wryly noted that while you can pay for Bandicam, ITG18 did not.

A screenshot of the ITG18 training video, taken from Wikoff and Emerson’s presentation

The video went on to show the attacker logging into Gmail and Yahoo Mail, and configuring the accounts to work with the Zimbra email collaboration platforms. It was a strange experience, watching a hacker open a Notepad file to copy and paste usernames and passwords for their fake accounts, precisely what security experts warn you not to do.

Wikoff and Emerson noted how these training videos and little mistakes humanized ITG18. The hackers stumbled in typing URLs, and struggled to convince CAPTCHAs that they were real people. Wikoff said it was a “great reminder that threat actors are human, too.”

Threat Actors Are Still Threatening

While the vision of bumbling state-sponsored hackers kept the presentation light, Wikoff and Emerson were quick to point out that despite their foibles, ITG18 remains dangerous. “While they’re not particularly sophisticated, they’re still successful,” said Emerson.

In one example from ITG18’s vast collection of stolen data, the researchers found location data precise enough to see which restaurants the victim visited at Epcot, in addition to the US Army bases the victim also frequented. Using the Google Takeout tool, ITG18 had even stolen recorded snippets of the victim asking questions to the Google Assistant.

“To put it bluntly, we think this is a very large operation,” said Wikoff. Large enough, they believe, to process huge amounts of stolen data and quickly switch between short-term and long-term targets. Also large enough, and with high enough turnover, to warrant making training videos.

Toward the end of their presentation, Wikoff urged attendees to help normalize the use of multi-factor authentication. “We can’t drive this point home enough,” said Wikoff. Multi-factor authentication, sometimes called 2FA, would have prevented the account takeovers that fuel ITG18’s work.

This is good advice, and it also solves a mystery. The researchers found evidence going back four years that suggested ITG18 hadn’t changed its tactics. You might ask how that’s possible, when each year brings new technology promising to make our lives safer and easier. The answer is simple: They didn’t need to get more sophisticated because their targets—people like you and me—kept falling for the same old tricks.

Originally published at https://www.pcmag.com.