A leak from a suspected Iranian hacker crew has revealed just how it’s snooping on American officials’ online lives by taking control of their Google accounts, according to IBM researchers. The same hackers have reportedly been linked with attacks on President Trump’s campaign staff, according to an IBM report shared with Forbes.
The 40 gigabyte leak was discovered in May by IBM X-Force IRIS, a cyber intelligence unit within the tech giant. A simple misconfiguration of a server had left the data wide open to anyone who could find the relevant web address. The most revealing information came in the form of training videos, one of which showed how the hackers, dubbed ITG18 (though more widely referred to as Charming Kitten), had breached the Google account of a U.S. Navy official.
There was also evidence of failed phishing attempts targeting the personal accounts of an Iranian-American philanthropist and officials of the U.S. State Department, including one associated with the U.S. Virtual Embassy to Iran. And the leak uncloaked a number of fake online personas that the hackers were using to to target persons of interest, with one other victim being a member of Greece’s Hellenic Navy.
Allison Wikoff, senior cyber threat analyst at IBM, said that the military officials had been notified of the hacks. When Wikoff uncovered the leak in May with fellow IBM researcher Richard Emerson, she was astonished that training videos from an Iranian hacker crew had been spilled and at the speed at which the hackers could siphon off data from a Google account. She also found evidence Yahoo accounts were targeted.
“It was alarming just how quickly they were able to navigate through these different flavours of account,” Wikoff told Forbes. “They were just so fast at it… And it just, to me, it [indicated] they’ve been doing this a really long time and they’re really good at it.”
Wikhoff said the leaky server had been used to host websites previously used by the Charming Kitten crew and so was directly linked to the Iranian group. She said it appears to be a large, well-resourced unit of the Iranian government or an entity working in the interests of the regime. “This is a pretty large operation. And the fact that they’re creating training videos, sort of speaks to the volume of people that are probably affiliated with it.”
By getting access to their Google accounts, the hackers could acquire a “plethora of information” on targeted individuals, including Chrome logins, location data, personal pictures and much more, Wikoff added. This could help Iran map out military bases or even gain information about sensitive government operations if the target has been lax with their operational security. Or it could be used for future, more personalized targeting of the same official. “So you can glean maybe where they lived and … you can build a very specific profile on the individuals that have been compromised as a part of this campaign.” And by looking through personal information it’s possible to get more intelligence on their employer, whether that’s the government or a private entity, she added. “The perimeter of an organisation doesn’t end when you log off and shut your computers the way that people work now. The perimeter is not just the organisation.”
Iran v. US cyber espionage
American and Iranian spies have been fighting a cold war from behind their keyboards for over a decade. Since the death of Iranian general Qassem Soleimani in an American airstrike in January this covert cyberwar has heated up.
Google’s security team revealed in June that Charming Kitten had tried to break into the Gmail accounts of Trump’s campaign staff. Microsoft had previously warned that the same hackers had targeted the president’s staff.
Most recently, there were suspicions that explosions at Iran’s Natanz nuclear plant earlier this month were caused by U.S. cyber attacks. A Yahoo News report this week suggested the CIA had been granted more powers by President Trump to target adversaries such as Iran with destructive attacks.
Source » forbes