# The Kitten that Charmed Me: The 9 Lives of a Nation State Attacker ###### Richard Emerson, Senior Threat Hunt Analyst Allison Wikoff, Senior Strategic Cyber Threat Analyst IBM Security X-Force Threat Intelligence # Attacker ###### Allison Wikoff, Senior Strategic Cyber Threat Analyst #BHUSA @BlackHatEvents ----- ###### MIT Lincoln Labs, Department of Defense ###### SecureWorks, Federal Reserve System, etc. ### >whoami #BHUSA @BlackHatEvents ----- ###### • What can we learn from their mistakes ###### including: • How do they operate? #BHUSA @BlackHatEvents Images source: IBM Security X-Force, Noble.org ----- #BHUSA @BlackHatEvents ----- ##### Files uploaded over course of a week before taken down by ##### ITG18 infrastructure leads to ITG18 Open Directory File Listing discovery of an open file directory... ##### Included exfiltrated victim data and... 4+ hours of desktop recordings! Image source: IBM Security X-Force ##### and... 4+ hours of desktop recordings! #BHUSA @BlackHatEvents ----- #BHUSA @BlackHatEvents ----- ###### Targets - Iranian and near abroad dissidents, journalists, academics; Reformist political party members - COVID researchers, US politicians, nuclear regulators, financial regulators ###### Infrastructure - Frequently lease virtual private servers, register their own domains ### How we define ITG18 #BHUSA @BlackHatEvents ----- ##### 2017 2018 2019 2020 ### Enduring Operations #BHUSA @BlackHatEvents Images source: URLScan.io ----- ###### • ITG18 response to domain take down three weeks later: ###### • March 2019 – Microsoft wins criminal complaint to sinkhole 99 ITG18 domains ----- ###### AndroRAT – Open-source Android RAT (similar to: https://github.com/karma9874/AndroRAT) ###### Metasploit – Commercially available pentesting pdfReader Modules framework ----- ###### • Sample discovered by X-Force in October 2020, uploaded to VirusTotal December 2020 • Has hardcoded version number ###### • Masquerades as WhatsApp for Android • Multi-functional backdoor ----- ###### - Chat logs and SMS messages - Search history • Social media and email accounts compromised ###### • Exfiltrated at least 2 Terabytes since Fall 2018 • Personal information ----- ITG18 Open Server. Image source: Shodan ### Other Historical Mistakes – Naming Your Targets ----- ----- Image source: Shodan ### Other Historical Mistakes – Not Updating Server Software ----- ### Size of Operations – Manual Credential Validation ----- ### Size of Operations – CAPTCHA Challenges #BHUSA @BlackHatEvents Images source: IBM Security X-Force ----- ###### LittleLooter Android ###### of WhatsApp installer ### Size of Operations – Individual Operator Boxes? #BHUSA @BlackHatEvents Images source: IBM Security X-Force ----- ###### accounts ###### Compromised accounts ----- ###### • Blended strategic objectives • Broad and targeted phishing operations ###### • ~ 2000 unique indicators • ~ 2 Terabytes of victim exfil • Manual data exfiltration, credential ----- ###### • Operator demos setting up account for continuous monitoring using an email collaboration platform • Operator demos exfiltrating information on various web mail ###### • Discovered on an open server that previously hosted ITG18 infrastructure • Desktop recordings made by the operator using free screen ----- #### Thank you! -----