Allison Wikoff has spent years tracking suspected Iranian hackers, sifting through data they’ve left behind and analyzing their techniques. But in May, when her colleague stumbled upon a server with 40 gigabytes of the hackers’ training videos and online personas, Wikoff knew she had struck gold.
“[When] we started combing through all the data and video files we couldn’t believe what we were seeing,” said Wikoff, a cyber threat analyst on IBM’s X-Force security team. “This discovery brought a whole new meaning to observing ‘hands-on keyboard activity.’”
The nearly five hours of videos found on the server, which IBM reported publicly on Thursday, include evidence of a suspected Iranian hacker stealing data from the personal email and social media accounts of an enlisted member of the U.S. Navy and a Greek naval officer. The attacker managed to exfiltrate files on the military unit of the U.S. Navy member and their naval base, along with tax records and their personal data stored on a cloud server, according to IBM.
The research is a vivid reminder of the digital espionage that is an undercurrent of U.S-Iranian tensions in the Persian Gulf, and follows another big exposure of Iranian hacking data last year. It’s also a rare window into the training material for state-linked spies: The videos show a suspected Iranian operative demonstrating how to siphon off photos and cloud data from various platforms, IBM said.
A familiar foe
The server appears to belong to an Iranian government-linked hacking outfit that IBM calls ITG18, and which overlaps with groups known as Charming Kitten and Phosphorous. They are an important asset in Tehran’s far-flung spying operations, analysts say.
The same broad set of Iranian hackers tried, apparently unsuccessfully, to break into the email accounts of staffers of President Donald Trump’s reelection campaign, Google said in June. They’re also suspected of targeting a U.S. drug company developing treatments for COVID-19.
“While we cannot and will not comment on any specific case, within the Navy, we stress to all personnel…the necessity to think cybersecurity whenever they log on to any platform or account, official or personal,” a Navy spokesperson said in an emailed statement.
The military service has tried to shore up its cybersecurity after a scathing 2019 self-assessment that found that hackers had been relatively unimpeded in their years-long plundering of data from the department and its contractors. Those struggles include a 2013 breach by suspected Iranian hackers of the unclassified portion of the Navy Marine Corps Intranet. It took the Navy months to evict the intruders from the Navy’s internal computer network.
“We use required annual cybersecurity training, along with periodic reinforcement throughout each year, to drive the point home,” the Navy spokesperson said. “Additional training in the protection of personal identifiable information must also be completed each year.”
The stolen data could be valuable fodder for further Iranian espionage against the U.S. and Greek navies, which are allies. Richard Emerson, another IBM cyber threat analyst, said the heist was a “significant amount of data that [could be used for] future spear phishing operations.”
The Iranian hackers also apparently tried, unsuccessfully, to breach the personal email accounts of two U.S. State Department officials, IBM said.
This isn’t the first time that a trove of public data has exposed Iranian hacking operations. In the spring of 2019, another Iranian group known as OilRig had their hacking tools, IP addresses and alleged victims leaked on the online messaging platform Telegram.
But despite those exposures, Wikoff said that many of the hackers haven’t changed their tactics or techniques — a sign that they are effective.
“ITG18 is a great example as there have been multiple disclosures and reports on their operations yet very little changes to how they execute their campaigns,” Wikoff told CyberScoop.
UPDATE, 07/17/20, 10:00 a.m. EDT: This story has been updated with a statement from the Navy.