The data trove discovered by IBM X-Force IRIS researchers contained roughly five hours of video training that appears to have been recorded directly from the screens of hackers working for a state-sponsored group that it calls ITG18 (also called Charming Kitten, Phosphorus, or APT35), which has been associated with targeting of pharmaceutical companies and the U.S. presidential campaigns. The IBM X-Force IRIS researchers discovered the videos on a virtual private cloud server that were accidentally uploaded by hackers in May due to a misconfiguration of security settings. During a three-day period in May 2020, IBM X-Force IRIS discovered the 40GBs of video and data files being uploaded to a server that hosted numerous ITG18 domains used in the earlier 2020 activity. “Rarely are there opportunities to understand how the operator behaves behind the keyboard, and even rarer still are there recordings the operator self-produced showing their operations. But that is exactly what X-Force IRIS uncovered on an ITG18 operator whose OPSEC failures provide a unique behind-the-scenes look into their methods, and potentially, their legwork for a broader operation that is likely underway,” Allison Wikoff, Strategic Cyber Threat Analyst, IBM Security said. Some of the victims in the videos included compromised accounts of a member of the U.S. Navy and a personnel officer with nearly two decades of service in the Hellenic Navy, the naval force of Greece. In addition, it also included unsuccessful phishing attempts directed against personal accounts of an unnamed Iranian-American philanthropist and U.S. State Department officials. “Some of the videos showed the operator managing adversary-created accounts while others showed the operator testing access and exfiltrating data from previously compromised accounts,” the researchers said. The video files uncovered by IBM X-Force IRIS were desktop recordings using a tool called Bandicam, ranging from 2 minutes to 2 hours. The timestamps of the files indicated the videos were recorded approximately one day prior to being uploaded to the ITG18-operated server. In five of the video files, named “AOL.avi”, “Aol Contact.avi”, “Gmail.avi”, “Yahoo.avi”, “Hotmail.avi”, the operator uses a Notepad file containing one credential for each platform, and video-by-video copied and pasted them into the associated website. The operator moved on to demonstrate how to exfiltrate various datasets associated with these platforms including contacts, photos, and associated cloud storage. The operator also modified settings within the account security section of each account and added them to Zimbra, a legitimate email collaboration platform that can combine multiple email accounts into one interface. With Zimbra, the operator was able to monitor and manage various compromised email accounts simultaneously. Some of the operator-owned accounts observed in the training videos provided additional insight into personas associated to ITG18, such as phone numbers with Iranian country codes. IBM X-Force IRIS observed the “Yahoo.avi” video displayed profile details for a fake persona, which we will reference as “Persona A” including a phone number with a +98 country code, the international country code for Iran. “Regardless of the motivation, mistakes by the ITG18 operator allowed IBM X-Force IRIS to gain valuable insights into how this group might accomplish action on its objectives and otherwise train its operators. IBM X-Force IRIS considers ITG18 a determined threat group with a significant investment in its operations,” the researchers noted. “The group has shown persistence in its operations and consistent creation of new infrastructure despite multiple public disclosures and broad reporting on its activity.” ITG18, which has been active since at least 2013, mainly targets individuals and entities of strategic interest to the Iranian government by using credential harvesting and email compromise operations through phishing attacks.