Charming Kitten lets the cat out of the bag

Hey, y’all. How are you guys doing? I’m back with a news story I find intriguing. 

Last week, a threat actor had ‘accidentally’ exposed their hacking methods online. Interestingly, they are training videos worth 40GB. 


The state-sponsored group IBM calls, ITG18, has unintentionally exposed an uncommon “behind-the-scenes” screening for all to know how they operate. IBM's X-Force Incident Response Intelligence Services (IRIS) got hold of nearly five hours worth of video recordings by the Iranian threat actor known as Charming Kitten, Phosphorus, APT35, and now ITG18. 

Here’s the summary of some of the victims exposed in the videos: 

  • Personal accounts of U.S. and Greek Navy personnel
  • Unsuccessful phishing attempts directed against U.S. state department officials 
  • An unnamed Iranian-American philanthropist

ITG18 has an elaborate past of aiming at the U.S. and the Middle Eastern military, diplomatic, and government personnel/officials to perform intelligence gathering and espionage in order to aid Iran's geopolitical interests.

IBM researchers say: 

"Some of the videos showed the operator managing adversary-created accounts while others showed the operator testing access and exfiltrating data from previously compromised accounts."

These videos, that were discovered on a virtual private cloud server, were vulnerable due to poorly configured security settings. The server, that held more than 40GB of data, apparently also hosted a number of ITG18 domains early this year.  

What were the video contents?

  • Possession and access to the targets' email and social media credentials obtained via spear-phishing
  • Logging in to the accounts using the compromised credentials in hand
  • Deleting notifications of suspicious logins so as not to alert the victims
  • Exfiltrating contacts, photos, and documents from Google Drive

Researchers noted: 

"The operator was also able to sign into victims' Google Takeout (, which allows a user to export content from their Google Account, to include location history, information from Chrome, and associated Android devices."


Figure 1: Bandicam screen-recording tool

These videos - that were taken using Bandicam’s screen-recording tool (picture above) - also reveal how the perpetrators punched the victim’s credentials to Zimbra, an email collaboration platform, to enable easy monitoring and managing of all the compromised email accounts. 

Other than email accounts, the videos show how the hackers try a huge list of compromised credentials (usernames and passwords) against a minimum of 75 distinct websites. These websites scales from bank and video/music streaming to something as minor as pizza delivery and baby products. 

Figure 2: Zimbra, email collaboration platform

A good portion of the 40GB-video demonstrates the threat actor making use of fake Yahoo! accounts - that includes a phone number with Iran's country code (+98) - to dispatch phishing emails. Fortunately, some of these phishing emails bounced back - implying that the potential victims’ inbox remained safe from these emails.  

IBM researchers commented: 

"During the videos where the operator was validating victim credentials, if the operator successfully authenticated against a site that was set up with multi-factor authentication (MFA), they paused and moved on to another set of credentials without gaining access."

What does it mean to victims?


This is what researchers had to say in conclusion: 

"The compromise of personal files of members of the Greek and U.S. Navy could be in support of espionage operations related to numerous proceedings occurring in the Gulf of Oman and Arabian Gulf … The group has shown persistence in its operations and consistent creation of new infrastructure despite multiple public disclosures and broad reporting on its activity." 

What’s the takeaway?

Exercise and implement basic cybersecurity best practices! 

Secure accounts by: 

  • Using stronger, complex passwords (min. 8 characters - including small letters, capital letters, numbers, & special characters)
  • Reset passwords periodically
  • Turning on two-factor authentication
  • Reviewing and limiting access to third-party apps

That’s it for the blog today, y’all! Feel free to drop comments and share this blog if you found it interesting.

Stay safe and stay tuned. 

Until next time, friends!

Credits: The Hacker News

Add comment