The most telling element of the video, says Wikoff, is the speed the hacker demonstrates in filtering account information in real time. Google account data is stolen in about four minutes. The Yahoo account takes less than three minutes. In both cases, of course, a live account populated with tens or hundreds of gigabytes of data would take much longer to download. But the clips demonstrate how fast that download process is set up, Wikoff says, and suggest that hackers are likely carrying out this type of large-scale theft of personal data. “Seeing how adept they are at getting in and out of all these different webmail accounts and setting them up to be mined is just amazing,” says Wikoff. “It is a well-oiled machine.”
In some cases, IBM researchers were able to see in the video that the same dummy accounts were also being used to send phishing emails, with rejected emails to invalid addresses appearing in the accounts’ inboxes. Investigators say those bounced emails revealed some of the attacks by the APT35 hackers, including US State Department personnel and an Iranian-American philanthropist. It is unclear if any of the targets was successfully phishing. Yahoo’s dummy account also briefly shows the phone number linked to it, starting with Iran’s +98 country code.
In other videos that IBM researchers declined to show WIRED, investigators say hackers appeared to be reviewing and leaking data from the accounts of real victims, rather than those they created for training purposes. One victim was a member of the U.S. Navy, and another was a two-decade veteran of the Greek Navy. Investigators say APT35 hackers appear to have stolen photos, emails, tax records, and other personal information from both selected individuals.
In some clips, investigators say they observed hackers working through a text document full of usernames and passwords for a long list of non-email accounts, from the phone operator to bank accounts, as well as some as trivial as pizza delivery and music streaming. services. “Nothing was off limits,” says Wikoff. However, the researchers note that they saw no evidence that hackers were able to circumvent two-factor authentication. When an account was secured with any second form of authentication, hackers simply moved on to the next on their list.
The kind of target that IBM’s findings reveal dovetails with previous known operations tied to APT35, which has carried out spying on behalf of Iran for years, most often with phishing attacks as its first point of intrusion. The group has focused on government and military targets that pose a direct challenge to Iran, such as nuclear regulators and sanctions agencies. Most recently, he has targeted his phishing emails to pharmaceutical companies involved in the Covid-19 investigation and President Donald Trump’s reelection campaign.
.
