A team of IBM X-Force security experts analyzed attackers' operational security mistakes to disclose the core details of how the group functions and launches attacks in their analysis of a group known as ITG18, also identified as Charming Kitten and Phosphorous.
ITG18 has a history of targeting high-profile victims, journalists, nuclear experts, and persons working on the COVID-19 vaccine research. It is linked to Iranian government operations. It was related to an assault in late 2019.
Richard Emerson, senior threat hunt analyst with IBM X-Force stated, "How we define this group is they're primarily focused on phishing and targeting personal accounts, although there's evidence that they may also go after corporate accounts as well." Based on the amount of infrastructure it has registered, researchers believe it to be a "rather sizable organization" - Emerson adds that they have over 2,000 indicators connected to this group alone during the last couple of years.
According to Allison Wikoff, a senior strategic cyber-threat analyst at IBM X-Force, the team achieved "a major breakthrough" in studying ITG18 behavior while examining an attack on executives at a COVID-19 research center.
Researchers collected indicators that are linked with attackers' activities on a regular basis; when investigating ITG18's activity, the team discovered flaws in the attackers' infrastructure, resulting in a plethora of fresh information.
"When we saw this open server, we collected videos and exfiltrated information. Over the course of the last 18 months, we've continually seen the same errors from this group," she added.
Researchers discovered training videos used by the group among the data they gathered. These details include how the organization maintains access to hacked email accounts, how attackers exfiltrate data, and how they build on compromises with stolen data. The videos gave investigators a better understanding of the procedures, yet the mistakes persisted.
ITG18 has a habit of misconfiguring its servers to leave listable folders, according to Emerson. Anyone with access to the IP address or domain can read the files without requiring authentication.
The group keeps their stolen data on numerous of these servers, where anybody might find massive, archived files ranging from 1GB to 100–150GB — all of which could be related to a single targeted individual. Researchers have also discovered ITG18 storing tools on these misconfigured servers, some of which are genuine and others which are custom.
According to Emerson and Wikoff, the group's new Android remote access Trojan is used to infect the targets they track on a regular basis. The code was dubbed "LittleLooter."
ITG18's blunders have benefited Emerson and Wikoff in painting a more comprehensive view of how the organization functions and speculating on what its future activities would entail. Wikoff points out that the assaults aren't particularly complex, and that the study shows they aren't likely to evolve.
"The interesting thing about this particular group is that the tactics haven't really changed all that much in the four to five years [we] have been laser-focused on it," she added.
Others have previously reported on ITG18's misconfigured servers, so the attackers are likely aware of the problem but haven't rectified it. It appears that the group either does not want to fix the error, does not want to modify their operating tempo, or that another factor is at play.
While many defensive suggestions aren't specific to ITG18, multifactor authentication is a significant deterrent for these attackers, Wikoff points out that this group is complicated because they primarily target personal resources.
Even though companies control their workers' personal information, these attacks may compromise corporate security. Emerson advised that businesses should examine how they would respond if an employee is harmed in one of these assaults and how they can teach staff to be aware of the dangers they face.