The security team under IBM released an analysis report exposing the case of Iranian national-level hackers. The source of the report was that the hacker team accidentally leaked 40G training videos.
The report said that the Advanced Persistent Threat Organization codenamed ITG18 or APT35 was confirmed to be an Iranian national-level hacker team, and its operations were funded by the Iranian state.
The hacker team had configuration errors in the recently configured server, which include the training tutorials, attack cases, and some data used by the team to be exposed on the Internet.
After analysis, the research team found that the leaked data was mainly a five-hour training video. The video was edited and divided into different links mainly for training.
The demo video showed the hacker team attempting to launch phishing attacks against officials of the US State Department and a philanthropist. Some of the attacks were also designed for the US and Greek navies.
Hackers mainly use phishing to obtain the target’s email and social network credentials, and then use these credentials to log in to the victim’s account.
The training video also stated that suspicious login notifications should be deleted after logging in to avoid being discovered by victims. In fact, the main point here is the target Google mailbox.
After stealing Google’s login credentials, the attacker checks the user’s storage in Google Photos, Google Drive, etc. to see if there is any confidential data.
The video also mentions that hackers use an email collaboration software called Zimbra to monitor target emails and try to load malicious code in attachments if possible.
In an attack against a certain target, the hacker team also used a large number of passwords to use brute force attacks, and these passwords were also derived from publicly leaked passwords on the Internet.
That is, users use the same account and password on a large number of websites, and then the password of one of the websites is leaked, and the attacker uses it to hit the database to try to blast other accounts.
The researchers said that the attacker used the target’s weak password to blast 75 different websites, including banks, music, e-commerce websites, food delivery, and other websites.
In sending phishing emails, the hacker team mainly used Yahoo mailbox. The video clearly shows the Yahoo mailbox account registered by the hacker team using Iranian numbers.
However, not all phishing emails sent by hackers were successful. Some emails were detected after being sent, and were intercepted and bounced back to the victim’s spam mailbox.
Finally, IBM researchers also emphasized that the demonstration video shows that it is very important to enable strong passwords and multi-factor authentication, which can effectively protect user account security.