A state-sponsored hacking group linked to Iran accidentally exposed one of its servers, giving researchers access to roughly 40 GB of videos and other files associated with the threat actor’s operations.
The server, discovered in May by researchers at IBM X-Force Incident Response Intelligence Services (IRIS), belonged to a group tracked as ITG18, Charming Kitten, Phosphorous, APT35, and NewsBeef. The device, which hosted many domains used by the hackers, was accessible for three days due to a basic misconfiguration.
Researchers analyzed the files found on the server and uncovered nearly five hours of training videos recorded by the group’s members. Some of the videos showed viewers how to exfiltrate data from various online accounts, including contacts, images and files from associated cloud storage services.
ITG18, which has been active since at least 2011, has been known to target a wide range of entities, including the World Health Organization (WHO), government agencies, journalists, activists, and even presidential campaigns.
Some of the videos uncovered by IBM on the exposed server showed successful attacks against a member of the U.S. Navy and an officer in the Hellenic Navy, the naval force of Greece. The videos showed that the hackers managed to collect a significant amount of information on the two targets, including media files, personal information, and financial details, and they hacked tens of the victims’ online accounts.
“IBM X-Force IRIS did not find evidence of the two military members’ professional network credentials being compromised, and no professional information appears to have been included,” IBM said in a linked hackers accidentally exposed their files
