Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

7/6/2021
05:42 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Researchers Learn From Nation-State Attackers' OpSec Mistakes

Security researchers discuss how a series of simple and consistent mistakes helped them learn more about ITG18, better known as Charming Kitten.

When security intelligence teams talk about human error, the conversation typically focuses on the victim of a cyberattack. What might they learn if they analyzed attackers' mistakes instead?

Related Content:

The Danger of Action Bias: Is It Always Better to Act Quickly?

Special Report: Building the SOC of the Future

New From The Edge: 5 Mistakes That Impact a Security Team's Success

In their investigation of a group tracked as ITG18, otherwise known as Charming Kitten and Phosphorous, a team of IBM X-Force security researchers investigated attackers' operational security errors to reveal the inner details of how the group functions and launches attacks.

ITG18, associated with Iranian government operations, has a history of targeting high-profile victims, journalists, nuclear scientists, and people involved with COVID-19 vaccine development. In late 2019, it was linked to an attack targeting a US presidential campaign; earlier that year, Microsoft took down 99 websites the group used to launch phishing attacks.

"How we define this group is they're primarily focused on phishing and targeting personal accounts, although there's evidence that they may also go after corporate accounts as well," says Richard Emerson, senior threat hunt analyst with IBM X-Force. Researchers estimate it's a "rather sizable organization" based on the amount of infrastructure it has registered —Emerson notes they have some 2,000 indicators tied to this group alone over the past couple of years.

It was when the team was researching an attack on executives at a COVID-19 research facility that it had "a huge breakthrough" in analyzing ITG18 activity, says Allison Wikoff, senior strategic cyber-threat analyst with IBM X-Force. Researchers routinely collect indicators associated with attackers' operations; as the team investigated ITG18's activity, they found errors in how attackers' infrastructure was set up, which led to a wealth of new information.

"When we saw this open server, we collected videos and exfiltrated information," she continues. "Over the course of the last 18 months, we've continually seen the same errors from this group." These errors have the dual effect of highlighting the mistakes adversaries make and how this gives researchers and defenders an advantage, she adds.

Among the information researchers found were training videos used within the group. These specifically cover how the group configures compromised email accounts to maintain access, how attackers exfiltrate data, and how they expand on compromises with stolen information. The videos helped researchers gain more insight into the operations, but the errors continued.

[Wikoff and Emerson will discuss their findings and show the training videos they discovered at an upcoming Black Hat USA briefing, "The Kitten that Charmed Me: The 9 Lives of a Nation State Attacker," on Aug. 4 and 5]

One of the persistent makes ITG18 makes is misconfiguring their servers to leave listable directories, Emerson says. When someone navigates to the IP address or domain, they can view the files without authentication. "They're just open to the public, essentially, for anyone to look at," he notes.

The group stores their exfiltrated information on several of these servers, where anyone could find large, archived files ranging anywhere from 1GB to 100–150GB — and all of this could pertain to a single targeted individual, Emerson adds.

Researchers have also seen ITG18 storing tools, some legitimate and some custom, on these misconfigured servers. Emerson and Wikoff point to the group's new Android remote access Trojan, which is used to infect the victims they follow on a daily basis. They nicknamed the code "LittleLooter." Having access to this, as well as their other findings, has helped the research team better understand tactical aspects of how the attack group works.

What Researchers & Defenders Can Learn
ITG18's mistakes have helped Emerson and Wikoff paint a more detailed picture of how the group operates and hypothesize what its activity will look like in the future. The attacks aren't all that sophisticated, Wikoff notes, and the research suggests they are unlikely to evolve.

"The interesting thing about this particular group is that the tactics haven't really changed all that much in the four to five years [we] have been laser focused on it," she says. Others have reported on ITG18's misconfigured servers in the past, so it's likely the attackers are aware of the issue but haven't addressed it. It seems the group either doesn't care to address the mistake, doesn't want to change their operational cadence, or there could be another factor at play.

While many defensive tips are not unique to ITG18 — multifactor authentication is a big deterrent for these attackers — this group is tricky because they primarily target personal resources, Wikoff points out.

"We've got very, very personal information about where people have gone on vacation, we've got voice recordings, all of this information was exfiltrated from several victims," she says. "That builds a very strong profile that can be used for future social engineering campaigns against the individual or the organization they work with."

While organizations own their employees' personal resources, these attacks could affect enterprise security. Emerson advises businesses to consider how they might respond if an employee is affected in one of these attacks, and how they can train employees to be aware of the threats they face.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
How Enterprises are Attacking the Cybersecurity Problem
Concerns over supply chain vulnerabilities and attack visibility drove some significant changes in enterprise cybersecurity strategies over the past year. Dark Reading's 2021 Strategic Security Survey showed that many organizations are staying the course regarding the use of a mix of attack prevention and threat detection technologies and practices for dealing with cyber threats.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-38562
PUBLISHED: 2021-10-18
Best Practical Request Tracker (RT) 4.2 before 4.2.17, 4.4 before 4.4.5, and 5.0 before 5.0.2 allows sensitive information disclosure via a timing attack against lib/RT/REST2/Middleware/Auth.pm.
CVE-2021-41611
PUBLISHED: 2021-10-18
An issue was discovered in Squid 5.0.6 through 5.1.x before 5.2. When validating an origin server or peer certificate, Squid may incorrectly classify certain certificates as trusted. This problem allows a remote server to obtain security trust well improperly. This indication of trust may be passed ...
CVE-2021-42565
PUBLISHED: 2021-10-18
myfactory.FMS before 7.1-912 allows XSS via the UID parameter.
CVE-2021-42566
PUBLISHED: 2021-10-18
myfactory.FMS before 7.1-912 allows XSS via the Error parameter.
CVE-2021-36097
PUBLISHED: 2021-10-18
Agents are able to lock the ticket without the "Owner" permission. Once the ticket is locked, it could be moved to the queue where the agent has "rw" permissions and gain a full control. This issue affects: OTRS AG OTRS 8.0.x version: 8.0.16 and prior versions.