IBM’s X-Force security team obtained roughly five hours of video footage apparently shot on the screens on hackers showing how to break into email accounts and steal data. The IT giant believes the culprits work for a group they call ITG18, which other security firms have codenamed APT35 or Charming Kitten, and which the US believes is closed connected to Iran’s ruling theocracy.
Allison Wikoff, a senior analyst at IBM X-Force, told tech website Wired: “When we talk about observing hands-on activity, it’s usually from incident response engagements or endpoint monitoring tools.
“Very rarely do we actually see the adversary on their own desktop.
“It’s a whole other level of “hands-on-keyboard” observation.
“To see how adept they are at going in and out of all these different webmail accounts and setting them up to exfiltrate, it is just amazing. It’s a well-oiled machine.”
Emily Crose, a security research with cyber security experts Dragos, likewise said the team’s success was unprecedented.
She added: “This kind of thing is a rare win for the defenders.
JUST IN: Kim Jong-un on brink – North Korea leader facing COUP from own sister
All the data was accidentally uploaded to an exposed server at the precise moment IBM was monitoring the machine in May.
The clips seem to training demonstrations which the hackers show junior team members.
They show Gmail and Yahoo Mail accounts being broken into prior to their contents being downloaded, as well as the other illegal activity.
Experts believe the Charming Kitten hackers stole photos, emails, tax records, and other personal info from both of the individuals who were targeted.
In May, cybersecurity experts claimed hackers linked to Iran targeted staff at US drugmaker Gilead Sciences Inc as the company races to deploy a treatment for the COVID-19 virus.
In one case, a fake email login page intended to steal passwords was sent in April to a top Gilead executive involved in legal and corporate affairs, according to an archived version on a website used to scan for malicious web addresses.
Ohad Zaidenberg, lead intelligence researcher at Israeli cybersecurity firm ClearSky, who monitors Iranian hacking activity and has investigated the attacks, said the attempt was part of an effort by an Iranian group to compromise email accounts of staff at the company using messages which impersonated journalists.
Iran’s mission to the United Nations denied any involvement in the attacks.
Alireza Miryousefi said: “The Iranian government does not engage in cyber warfare.
“Cyber activities Iran engages in are purely defensive and to protect against further attacks on Iranian infrastructure.”
High profile Twitter accounts including those of Democratic Presidential candidate Joe Biden were reportedly hacked this week – although the US Government has yet to determine who was responsible.