Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

End of Bibblio RCM includes -->
05:42 PM
Connect Directly

Researchers Learn From Nation-State Attackers' OpSec Mistakes

Security researchers discuss how a series of simple and consistent mistakes helped them learn more about ITG18, better known as Charming Kitten.

When security intelligence teams talk about human error, the conversation typically focuses on the victim of a cyberattack. What might they learn if they analyzed attackers' mistakes instead?

Related Content:

The Danger of Action Bias: Is It Always Better to Act Quickly?

Special Report: Building the SOC of the Future

New From The Edge: 5 Mistakes That Impact a Security Team's Success

In their investigation of a group tracked as ITG18, otherwise known as Charming Kitten and Phosphorous, a team of IBM X-Force security researchers investigated attackers' operational security errors to reveal the inner details of how the group functions and launches attacks.

ITG18, associated with Iranian government operations, has a history of targeting high-profile victims, journalists, nuclear scientists, and people involved with COVID-19 vaccine development. In late 2019, it was linked to an attack targeting a US presidential campaign; earlier that year, Microsoft took down 99 websites the group used to launch phishing attacks.

"How we define this group is they're primarily focused on phishing and targeting personal accounts, although there's evidence that they may also go after corporate accounts as well," says Richard Emerson, senior threat hunt analyst with IBM X-Force. Researchers estimate it's a "rather sizable organization" based on the amount of infrastructure it has registered —Emerson notes they have some 2,000 indicators tied to this group alone over the past couple of years.

It was when the team was researching an attack on executives at a COVID-19 research facility that it had "a huge breakthrough" in analyzing ITG18 activity, says Allison Wikoff, senior strategic cyber-threat analyst with IBM X-Force. Researchers routinely collect indicators associated with attackers' operations; as the team investigated ITG18's activity, they found errors in how attackers' infrastructure was set up, which led to a wealth of new information.

"When we saw this open server, we collected videos and exfiltrated information," she continues. "Over the course of the last 18 months, we've continually seen the same errors from this group." These errors have the dual effect of highlighting the mistakes adversaries make and how this gives researchers and defenders an advantage, she adds.

Among the information researchers found were training videos used within the group. These specifically cover how the group configures compromised email accounts to maintain access, how attackers exfiltrate data, and how they expand on compromises with stolen information. The videos helped researchers gain more insight into the operations, but the errors continued.

[Wikoff and Emerson will discuss their findings and show the training videos they discovered at an upcoming Black Hat USA briefing, "The Kitten that Charmed Me: The 9 Lives of a Nation State Attacker," on Aug. 4 and 5]

One of the persistent makes ITG18 makes is misconfiguring their servers to leave listable directories, Emerson says. When someone navigates to the IP address or domain, they can view the files without authentication. "They're just open to the public, essentially, for anyone to look at," he notes.

The group stores their exfiltrated information on several of these servers, where anyone could find large, archived files ranging anywhere from 1GB to 100–150GB — and all of this could pertain to a single targeted individual, Emerson adds.

Researchers have also seen ITG18 storing tools, some legitimate and some custom, on these misconfigured servers. Emerson and Wikoff point to the group's new Android remote access Trojan, which is used to infect the victims they follow on a daily basis. They nicknamed the code "LittleLooter." Having access to this, as well as their other findings, has helped the research team better understand tactical aspects of how the attack group works.

What Researchers & Defenders Can Learn
ITG18's mistakes have helped Emerson and Wikoff paint a more detailed picture of how the group operates and hypothesize what its activity will look like in the future. The attacks aren't all that sophisticated, Wikoff notes, and the research suggests they are unlikely to evolve.

"The interesting thing about this particular group is that the tactics haven't really changed all that much in the four to five years [we] have been laser focused on it," she says. Others have reported on ITG18's misconfigured servers in the past, so it's likely the attackers are aware of the issue but haven't addressed it. It seems the group either doesn't care to address the mistake, doesn't want to change their operational cadence, or there could be another factor at play.

While many defensive tips are not unique to ITG18 — multifactor authentication is a big deterrent for these attackers — this group is tricky because they primarily target personal resources, Wikoff points out.

"We've got very, very personal information about where people have gone on vacation, we've got voice recordings, all of this information was exfiltrated from several victims," she says. "That builds a very strong profile that can be used for future social engineering campaigns against the individual or the organization they work with."

While organizations own their employees' personal resources, these attacks could affect enterprise security. Emerson advises businesses to consider how they might respond if an employee is affected in one of these attacks, and how they can train employees to be aware of the threats they face.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
The 10 Most Impactful Types of Vulnerabilities for Enterprises Today
Managing system vulnerabilities is one of the old est - and most frustrating - security challenges that enterprise defenders face. Every software application and hardware device ships with intrinsic flaws - flaws that, if critical enough, attackers can exploit from anywhere in the world. It's crucial that defenders take stock of what areas of the tech stack have the most emerging, and critical, vulnerabilities they must manage. It's not just zero day vulnerabilities. Consider that CISA's Known Exploited Vulnerabilities (KEV) catalog lists vulnerabilitlies in widely used applications that are "actively exploited," and most of them are flaws that were discovered several years ago and have been fixed. There are also emerging vulnerabilities in 5G networks, cloud infrastructure, Edge applications, and firmwares to consider.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2023-03-27
In Delta Electronics InfraSuite Device Master versions prior to 1.0.5, an attacker could use URL decoding to retrieve system files, credentials, and bypass authentication resulting in privilege escalation.
PUBLISHED: 2023-03-27
In Delta Electronics InfraSuite Device Master versions prior to 1.0.5, an attacker could use Lua scripts, which could allow an attacker to remotely execute arbitrary code.
PUBLISHED: 2023-03-27
Delta Electronics InfraSuite Device Master versions prior to 1.0.5 contains an improper access control vulnerability in which an attacker can use the Device-Gateway service and bypass authorization, which could result in privilege escalation.
PUBLISHED: 2023-03-27
Delta Electronics InfraSuite Device Master versions prior to 1.0.5 are affected by a deserialization vulnerability targeting the Device-DataCollect service, which could allow deserialization of requests prior to authentication, resulting in remote code execution.
PUBLISHED: 2023-03-27
Heap-based Buffer Overflow in GitHub repository gpac/gpac prior to 2.4.0.