Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

End of Bibblio RCM includes -->
05:42 PM
Connect Directly

Researchers Learn From Nation-State Attackers' OpSec Mistakes

Security researchers discuss how a series of simple and consistent mistakes helped them learn more about ITG18, better known as Charming Kitten.

When security intelligence teams talk about human error, the conversation typically focuses on the victim of a cyberattack. What might they learn if they analyzed attackers' mistakes instead?

Related Content:

The Danger of Action Bias: Is It Always Better to Act Quickly?

Special Report: Building the SOC of the Future

New From The Edge: 5 Mistakes That Impact a Security Team's Success

In their investigation of a group tracked as ITG18, otherwise known as Charming Kitten and Phosphorous, a team of IBM X-Force security researchers investigated attackers' operational security errors to reveal the inner details of how the group functions and launches attacks.

ITG18, associated with Iranian government operations, has a history of targeting high-profile victims, journalists, nuclear scientists, and people involved with COVID-19 vaccine development. In late 2019, it was linked to an attack targeting a US presidential campaign; earlier that year, Microsoft took down 99 websites the group used to launch phishing attacks.

"How we define this group is they're primarily focused on phishing and targeting personal accounts, although there's evidence that they may also go after corporate accounts as well," says Richard Emerson, senior threat hunt analyst with IBM X-Force. Researchers estimate it's a "rather sizable organization" based on the amount of infrastructure it has registered —Emerson notes they have some 2,000 indicators tied to this group alone over the past couple of years.

It was when the team was researching an attack on executives at a COVID-19 research facility that it had "a huge breakthrough" in analyzing ITG18 activity, says Allison Wikoff, senior strategic cyber-threat analyst with IBM X-Force. Researchers routinely collect indicators associated with attackers' operations; as the team investigated ITG18's activity, they found errors in how attackers' infrastructure was set up, which led to a wealth of new information.

"When we saw this open server, we collected videos and exfiltrated information," she continues. "Over the course of the last 18 months, we've continually seen the same errors from this group." These errors have the dual effect of highlighting the mistakes adversaries make and how this gives researchers and defenders an advantage, she adds.

Among the information researchers found were training videos used within the group. These specifically cover how the group configures compromised email accounts to maintain access, how attackers exfiltrate data, and how they expand on compromises with stolen information. The videos helped researchers gain more insight into the operations, but the errors continued.

[Wikoff and Emerson will discuss their findings and show the training videos they discovered at an upcoming Black Hat USA briefing, "The Kitten that Charmed Me: The 9 Lives of a Nation State Attacker," on Aug. 4 and 5]

One of the persistent makes ITG18 makes is misconfiguring their servers to leave listable directories, Emerson says. When someone navigates to the IP address or domain, they can view the files without authentication. "They're just open to the public, essentially, for anyone to look at," he notes.

The group stores their exfiltrated information on several of these servers, where anyone could find large, archived files ranging anywhere from 1GB to 100–150GB — and all of this could pertain to a single targeted individual, Emerson adds.

Researchers have also seen ITG18 storing tools, some legitimate and some custom, on these misconfigured servers. Emerson and Wikoff point to the group's new Android remote access Trojan, which is used to infect the victims they follow on a daily basis. They nicknamed the code "LittleLooter." Having access to this, as well as their other findings, has helped the research team better understand tactical aspects of how the attack group works.

What Researchers & Defenders Can Learn
ITG18's mistakes have helped Emerson and Wikoff paint a more detailed picture of how the group operates and hypothesize what its activity will look like in the future. The attacks aren't all that sophisticated, Wikoff notes, and the research suggests they are unlikely to evolve.

"The interesting thing about this particular group is that the tactics haven't really changed all that much in the four to five years [we] have been laser focused on it," she says. Others have reported on ITG18's misconfigured servers in the past, so it's likely the attackers are aware of the issue but haven't addressed it. It seems the group either doesn't care to address the mistake, doesn't want to change their operational cadence, or there could be another factor at play.

While many defensive tips are not unique to ITG18 — multifactor authentication is a big deterrent for these attackers — this group is tricky because they primarily target personal resources, Wikoff points out.

"We've got very, very personal information about where people have gone on vacation, we've got voice recordings, all of this information was exfiltrated from several victims," she says. "That builds a very strong profile that can be used for future social engineering campaigns against the individual or the organization they work with."

While organizations own their employees' personal resources, these attacks could affect enterprise security. Emerson advises businesses to consider how they might respond if an employee is affected in one of these attacks, and how they can train employees to be aware of the threats they face.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
Everything You Need to Know About DNS Attacks
It's important to understand DNS, potential attacks against it, and the tools and techniques required to defend DNS infrastructure. This report answers all the questions you were afraid to ask. Domain Name Service (DNS) is a critical part of any organization's digital infrastructure, but it's also one of the least understood. DNS is designed to be invisible to business professionals, IT stakeholders, and many security professionals, but DNS's threat surface is large and widely targeted. Attackers are causing a great deal of damage with an array of attacks such as denial of service, DNS cache poisoning, DNS hijackin, DNS tunneling, and DNS dangling. They are using DNS infrastructure to take control of inbound and outbound communications and preventing users from accessing the applications they are looking for. To stop attacks on DNS, security teams need to shore up the organization's security hygiene around DNS infrastructure, implement controls such as DNSSEC, and monitor DNS traffic
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2023-05-26
Craft is a CMS for creating custom digital experiences. Cross site scripting (XSS) can be triggered by review volumes. This issue has been fixed in version 4.4.7.
PUBLISHED: 2023-05-26
Django-SES is a drop-in mail backend for Django. The django_ses library implements a mail backend for Django using AWS Simple Email Service. The library exports the `SESEventWebhookView class` intended to receive signed requests from AWS to handle email bounces, subscriptions, etc. These requests ar...
PUBLISHED: 2023-05-26
Highlight is an open source, full-stack monitoring platform. Highlight may record passwords on customer deployments when a password html input is switched to `type="text"` via a javascript "Show Password" button. This differs from the expected behavior which always obfuscates `ty...
PUBLISHED: 2023-05-26
Craft is a CMS for creating custom digital experiences on the web.The platform does not filter input and encode output in Quick Post validation error message, which can deliver an XSS payload. Old CVE fixed the XSS in label HTML but didn’t fix it when clicking save. This issue was...
PUBLISHED: 2023-05-26
GDSDB infinite loop in Wireshark 4.0.0 to 4.0.5 and 3.6.0 to 3.6.13 allows denial of service via packet injection or crafted capture file