Iran-Linked Hackers Exposed 40 GB of Their Files by Mistake


A state-sponsored hacking group linked to Iran inadvertently leaked one of its servers, giving researchers access to approximately 40 GB of videos and other files relevant to operations by the threat actor.

The server, which was discovered by IBM X-Force Incident Response Intelligence Services (IRIS) researchers in May, belonged to a group tracked as ITG18, Charming Kitten, Phosphorous, APT35 and NewsBeef. Because of a basic misconfiguration the device, which hosted many domains used by the hackers, was accessible for three days.

Researchers studied the files stored on the server and discovered nearly five hours of video training conducted by members of the community. Any of the videos taught viewers how to exfiltrate data from various online accounts including addresses, photographs and files from cloud storage services associated with them.

ITG18, which has been operating since at least 2011, is known to threaten a wide variety of organisations including the World Health Organization (WHO), government agencies, journalists, activists and even presidential campaigns.

Some of the videos uncovered on the exposed server by IBM have shown successful attacks on a US member. Navy and an officer of the Hellenic Navy, the naval power of Greece. The videos showed that the hackers managed to gather significant amounts of information about the two targets, including media files, personal information and financial details, and hacked tens of online accounts of the victims.

“IBM X-Force IRIS did not find proof of the two military members’ technical network credentials being compromised, and no relevant knowledge appears to have been included,” IBM said in a blog post. “However, it ‘s likely that the threat actor was looking for sensitive information inside the military members ‘ personal files that would allow ITG18 to expand their cyber espionage activity deeper into the U.S. and Greek Navy.”

In addition to the two Navy veterans, the leaked files revealed that Charming Kitten has threatened an Iranian-American philanthropist and officials in the U.S. State Department. However, these attempts evidently failed.

IBM researchers found out that the hackers did not seem to bother attempting to access accounts secured by two-factor authentication.

In some cases, the individuals filming the training videos appeared to use accounts they produced, and in some cases a telephone number with the country code +98 (the country code for Iran) was noticeable, strengthening the assumption that ITG18 is likely to operate outside of Iran.

“Whatever the motivation, the ITG18 operator’s mistakes enabled IBM X-Force IRIS to gain valuable insights into how this group could achieve its goals and train its operators otherwise,” IBM stated. “IBM X-Force IRIS considers ITG18 to be a definite threat group with considerable investment in its operations. Despite multiple public disclosures and broad reporting on its activity, the group has shown persistence in its operations and consistent creation of new infrastructure.”

Microsoft announced last year that it took ownership of 99 domains used by ITG18 after lodging a complaint against the hackers over their usage of domains that mimicked Microsoft and other companies’ services.

Mark Funk
Mark Funk is an experienced information security specialist who works with enterprises to mature and improve their enterprise security programs. Previously, he worked as a security news reporter.