Iran-sponsored ITG18 group may not be the most sophisticated state-sponsored threat actor out there. Yet, its techniques prove to be successful over and over again.
During the Black Hat USA 2021 session, a pair of researchers from IBM X-Force outlined the specifics of the state-sponsored threat actor ITG18. This group’s tactics, techniques, and procedures overlap with groups known as Charming Kitten, Phosphorus, and TA453.
Senior threat hunt analyst at IBM X-Force Richard Emerson explained that ITG18 tends to leave open directories, which help researchers learn more about the tools and techniques used by the group. And sometimes, it proves to be a treasure.
Researchers took a closer look at the threat actor when it targeted the US biopharmaceutical company Gilead Sciences in May 2020. Iran, according to Emerson, was likely interested in getting access to any information about the potential COVID-19 vaccines and treatments.
“We also knew that for ITG18, while this targeting may have seemed atypical, it was not uncommon to pivot and focus on short-term higher priority objectives. We started to double-check the infrastructure we had already associated with this group when we came across an open directory,” he said.
Over the course of one week, researchers saw several files uploaded to the server, including exfiltrated information related to a greek navy member and a US navy member. They also found 4+ hours of desktop recording on an ITG18 operator manually validating victim credentials and several short video files, which they later determined were training videos.
Emerson highlighted that the threat group puts a lot of effort and manual work into credential phishing to support their espionage and surveillance objectives. For example, they have reportedly texted and emailed potential victims before attempting to get them to download the malware or visit a phishing page.
ITG18 stands out from other groups because it doesn’t care much about public disclosure of its methods or tools. For example, in March 2019, Microsoft claimed it disrupted Charming Kitten and took over 99 domains associated with the group. A couple of weeks later, ITG18 registered similar domains and has continued its operations as usual.
“This isn’t a group that is constantly innovating and trying to hide its activity from the security community. They have methods of doing things, and regardless of public disclosure, it continues to work for them in terms of compromising and exfiltrating data from their targets,” Emerson said.
ITG18 is after victims’ Google, Yahoo, and Microsoft credentials. They are good at using built-in legitimate tools, such as Google Takeout, which gathers and exports data as an archive.
“This data is often very personal. For example, for one compromised individual, the Google Takeout data included location information, so we were able to see this US person visiting US military bases and potentially taking a vacation, such as when this person visited Disney’s theme park. That data included the person’s queries to the Google voice assistant, so we were able to hear snippets of this person’s voice as well. With all this personal information taken from targets of interest, we can only guess at how the Iranian government is using it for their objectives,” Emerson explained.
Since 2018, ITG18 has exfiltrated close to 2 terabytes of data from victims. IBM collected 2,000 unique indicators associated with the group’s activities.
X-Force analysts pointed out that ITG18 operators are humans, therefore prone to making mistakes.
Emerson described the errors that the Iran threat actor made, naming being hit by ransomware as his favorite one.
“It might not seem like a priority for the server that you are using to host your phishing pages, to keep that software up to date, and to configure it to protect from cyber threats. But then you may also experience a suspected global posture ransomware incident as one the ITG18 server did back in 2019. Ransomware is a big problem for a lot of organizations, ITG18 included. Operators are only human, just as prone to making errors and mistakes as we are,” he said.
But, despite occasional mistakes and slips, ITG18 continues its operations quite successfully.
“From August 2020 through May 2021, X-Force observed ITG18 successfully compromise multiple victims aligned with the Iranian reformist movement. Given the timing and focus of the activity, this may have been in support of surveillance objectives leading up to the June 2021 presidential elections in Iran. Finally, despite continued OPSEC errors, ITG18 appears to conduct a sizeable and often successful operation that heavily focuses on compromising personal webmail and social media accounts,” Allison Wikoff, a senior strategic cyber-threat analyst at IBM X-Force, concluded.
More from CyberNews:
Subscribe to our newsletter