A pair of IBM X-Force presented details about the state-sponsored hackers, ITG18. It happened during the Black Hat USA 2021 hearing. Phosphorus, Charming Kitten, and TA453 all have strategies, approaches, and processes that relate to this group.
“ITG18” leaves open records, as stated by IBM X-Force senior threat hunt analyst Richard Emerson. It also allows researchers to learn more about the tools and plans of action employed by the firms. Some of the time, it turns out to be a real find!
In 2020, ITG18 launched an attack on a US drugs company.
For example, in May 2020, hackers targeted the US biologic medical business Gilead Sciences. Researchers probed the hacker. As stated by Emerson, Iran was most likely interested in learning more about potential COVID-19 vaccinations and treatments. They established that this was not common to pivot and focus on short-term objectives that are more valuable. They also started checking on the infrastructure of different entities.
Several recordings about inflated data are on the server for one week. The data is all about a Greek navy member and a US navy sailor. They also discovered 4+ hours of desktop recording of an ITG18 operator. This confirmed victim credentials, as well as many short video files later identified as training films. The threat firm invests a lot of time and effort in credential phishing, as stated by Emerson. They do this merely to support its espionage and surveillance aims.
ITG8 gains mileage by disclosing approaches and tools to the security community.
ITG18 differs from other firms in that it is unconcerned about public disclosure of its methodology or instruments. For example, Microsoft said in March 2019 that it had disrupted Charming Kitten. They also took control of 99 domains affiliated with the group. It also registered similar domains a few weeks later and went about its business as usual.
It is looking for victims’ Google, Yahoo, and Microsoft login data. They are adept at leveraging legitimate built-in technologies, such as Google Takeout, which collects and archives data.
Records of ITG18 espionage
ITG18 has stolen about 2 gigabytes of data from victims since its inception in 2018. IBM gathered 2,000 different indications related to the activity of the group. Its operators, as stated by X-Force analysts, are people who make errors. Emerson outlined the Iran threat actor’s blunders, with his favorite infected with ransomware.
Despite minor errors, ITG18 continues to distinguish out.
It effectively compromised many victims connected with the Iranian reformist movement. According to X-Force, it happened within a year, from August 2020 to May 2021. ITG18 looks to be conducting an effective operation despite its OPSEC errors.