When security intelligence teams talk about human error, the conversation typically focuses on the victim of a cyberattack. What might they learn if they analyzed attackers' mistakes instead?

In their investigation of a group tracked as ITG18, otherwise known as Charming Kitten and Phosphorous, a team of IBM X-Force security researchers investigated attackers' operational security errors to reveal the inner details of how the group functions and launches attacks.

ITG18, associated with Iranian government operations, has a history of targeting high-profile victims, journalists, nuclear scientists, and people involved with COVID-19 vaccine development. In late 2019, it was linked to an attack targeting a US presidential campaign; earlier that year, Microsoft took down 99 websites the group used to launch phishing attacks.

"How we define this group is they're primarily focused on phishing and targeting personal accounts, although there's evidence that they may also go after corporate accounts as well," says Richard Emerson, senior threat hunt analyst with IBM X-Force. Researchers estimate it's a "rather sizable organization" based on the amount of infrastructure it has registered —Emerson notes they have some 2,000 indicators tied to this group alone over the past couple of years.

It was when the team was researching an attack on executives at a COVID-19 research facility that it had "a huge breakthrough" in analyzing ITG18 activity, says Allison Wikoff, senior strategic cyber-threat analyst with IBM X-Force. Researchers routinely collect indicators associated with attackers' operations; as the team investigated ITG18's activity, they found errors in how attackers' infrastructure was set up, which led to a wealth of new information.

"When we saw this open server, we collected videos and exfiltrated information," she continues. "Over the course of the last 18 months, we've continually seen the same errors from this group." These errors have the dual effect of highlighting the mistakes adversaries make and how this gives researchers and defenders an advantage, she adds.

Among the information researchers found were training videos used within the group. These specifically cover how the group configures compromised email accounts to maintain access, how attackers exfiltrate data, and how they expand on compromises with stolen information. The videos helped researchers gain more insight into the operations, but the errors continued.

[Wikoff and Emerson will discuss their findings and show the training videos they discovered at an upcoming Black Hat USA briefing, "The Kitten that Charmed Me: The 9 Lives of a Nation State Attacker," on Aug. 4 and 5]

One of the persistent makes ITG18 makes is misconfiguring their servers to leave listable directories, Emerson says. When someone navigates to the IP address or domain, they can view the files without authentication. "They're just open to the public, essentially, for anyone to look at," he notes.

The group stores their exfiltrated information on several of these servers, where anyone could find large, archived files ranging anywhere from 1GB to 100–150GB — and all of this could pertain to a single targeted individual, Emerson adds.

Researchers have also seen ITG18 storing tools, some legitimate and some custom, on these misconfigured servers. Emerson and Wikoff point to the group's new Android remote access Trojan, which is used to infect the victims they follow on a daily basis. They nicknamed the code "LittleLooter." Having access to this, as well as their other findings, has helped the research team better understand tactical aspects of how the attack group works.

What Researchers & Defenders Can Learn
ITG18's mistakes have helped Emerson and Wikoff paint a more detailed picture of how the group operates and hypothesize what its activity will look like in the future. The attacks aren't all that sophisticated, Wikoff notes, and the research suggests they are unlikely to evolve.

"The interesting thing about this particular group is that the tactics haven't really changed all that much in the four to five years [we] have been laser focused on it," she says. Others have reported on ITG18's misconfigured servers in the past, so it's likely the attackers are aware of the issue but haven't addressed it. It seems the group either doesn't care to address the mistake, doesn't want to change their operational cadence, or there could be another factor at play.

While many defensive tips are not unique to ITG18 — multifactor authentication is a big deterrent for these attackers — this group is tricky because they primarily target personal resources, Wikoff points out.

"We've got very, very personal information about where people have gone on vacation, we've got voice recordings, all of this information was exfiltrated from several victims," she says. "That builds a very strong profile that can be used for future social engineering campaigns against the individual or the organization they work with."

While organizations own their employees' personal resources, these attacks could affect enterprise security. Emerson advises businesses to consider how they might respond if an employee is affected in one of these attacks, and how they can train employees to be aware of the threats they face.