Iranian Hackers Left 5 Hours’ Worth of Hacking How-Tos Chilling on the Open Web

Iranian Hackers Left 5 Hours’ Worth of Hacking How-Tos Chilling on the Open Web
Photo: Nicolas Maeterlinck, Getty Images

There’s a lot of intrigue and ~mystery~ surrounding the public conception of hacking, but the truth is, even the most elite hackers are regular people. And just like regular people, they screw up on the job more than you might think. We’ve seen cybercriminals screw themselves over in some of the dumbest ways imaginable over the years, but for some reason, we still see the same mistakes made time and time again.

Case in point: A team of researchers out of IBM’s X-Force IRIS cybersecurity team have reported finding a server full of unencrypted data left out in the open by a hacker group affiliated with Iranian state authorities. According to the team, the trove included, among other things, roughly five hours’ worth of video explaining how to compromise accounts belonging to folks in the U.S. and Greek armed forces and how to siphon sensitive data out of those accounts once they’re crippled.

According to the IBM squad, this roughly 40-gigabyte data dump was captured as it was being uploaded onto a server commonly used by the hacking group ITG18, which has been up and kicking for roughly the past decade, often overlapping with another local group called “Charming Kitten” that’s believed to be affiliated with the Iranian government. Since 2011, we’ve seen this group target the World Health Organisation, a handful of American journalists, and potentially even Trump’s reelection campaign, among other politically connected pundits and federal officials.

As the IBM team describes it, some of the information they dug up from the servers included:

  • “An ITG18 operator searching through and exfiltrating data from various compromised accounts of a member of U.S. Navy and a personnel officer with nearly two decades of service in Hellenic Navy. Using these accounts could allow the operator to obtain other data on military operations of potential interest to Iran.”
  • “Failed phishing attempts targeting the personal accounts of an Iranian-American philanthropist and officials of the U.S. State Department.”
  • “Personas and Iranian phone numbers associated to ITG18 operators.”

According to IBM, the server was full of recordings of these exploits (and others) ranging from minutes in length to two hours a pop. A handful of these videos showed just how easy it was to hoover out a target’s full contact list, photos, and anything else they might have hiding in the cloud once you get ahold of the password associated with their email or social media accounts.

Naturally, the IBM team didn’t share the videos themselves, but they did describe the kinds of accounts that these Iranian operatives filmed themselves hacking. Aside from your average emails and Facebooks and Twitter accounts of the officers in question, the Iranian who was filming themselves also tried cracking into the target’s accounts on:

  • music and video streaming sites and services
  • sites for food delivery (the IBM team calls out “pizza delivery” specifically)
  • credit reporting sites
  • sites for filing for financial aid as a student
  • sites for buying and posting about video games
  • and many, many more!

Apparently, the IBM team counted at least 75 websites that these Iranian ops tried to crack. At the end of the day, the IBM team suggests that the best way to protect yourselves from these sorts of shenanigans is to use a password manager capable of resetting your passwords at regular intervals, and ideally one that can use more than 14 characters, since longer passwords are all the tougher to crack. They also suggest using two-factor authentication as a last line of defence, in case your passwords get into the wrong hands.