
Iran state hackers caught in intercepted videos - redm
https://arstechnica.com/information-technology/2020/07/iran-state-hackers-caught-with-their-pants-down-in-intercepted-videos/
======
wyxuan
Umm, maybe a more appropriate title could be “IBM discovers database
containing Iranian hacking videos“

~~~
JadeNB
Isn't our preference to preserve the original headline when possible?
("Otherwise please use the original title, unless it is misleading or
linkbait; don't editorialize." Maybe it's misleading?)

------
m000
Disappointing. I was expecting a webcam hack or something, that literally
caught them with their pants down.

~~~
dylan604
I think maybe you're looking for chatroulette or something? Why would hackers
have their pants down? Hands in the cookie jar maybe, as hackers are known for
junk food consumption. Maybe it's hacker sport by trying to handicap the
better hackers?

Seriously though, even if there was footage of the actual hack occurring, it's
just going to be a room with computers and users in front of a screen. It
would potentially look like any office in any city with computer users. At
least the state sponsored hackers. I totally expect the setups of l33t hackers
living at home with mom to be just like in the movies. 8 50"\+ computer
screens, 10 computers in racks, better setup than most NOCs, then all of
Mountain Dew cans and junk food wrappers tossed about, the posters on the wall
of swimsuit models. Maybe these guys would literally have their pants down.

~~~
david_shaw
_> Seriously though, even if there was footage of the actual hack occurring,
it's just going to be a room with computers and users in front of a screen._

After reading the headline, I expected webcam footage showing the hackers'
faces -- or something similar. I don't think m000 actually anticipated true
pants-less video :)

That said, this is all really interesting; I'd love to see the data itself.
Unfortunately, all this really shows is that Iran conducts state-sponsored
cyber-attacks -- which, of course, we already know.

------
afrcnc
Source, with a lot more details: [https://securityintelligence.com/posts/new-
research-exposes-...](https://securityintelligence.com/posts/new-research-
exposes-iranian-threat-group-operations/)

------
SahAssar
The methods described seem to be pretty basic. I'm surprised that copy pasting
passwords and manually connecting a email account to zimbra would be part of a
training video (and not completely automated using more sophisticated tools
than zimbra).

> X-Force IRIS security team obtained the 40GB cache of data as it was being
> uploaded to a server

Wut? That makes it sound like it was uploaded over an unencrypted channel.

Is this really the level that state sponsored hackers are on? Unencrypted
uploads, manual copy-paste of passwords and free versions of bandicam?

Given the above I wouldn't be surprised if it was intentionally leaked to make
them seem like less of a threat.

~~~
acruns
This is a common misperception of foreign infosec. Most foreign infosec is
much older and basic than most would believe. This comes from the lack of
trust between cooperating countries and basic skills. Not to say they aren't
smart ppl but most ppl shy away from this type of work even when it's possible
bc of the downside of being the one that leaked 40gb of video, this impacts
them and their entire family in ways we wouldn't even consider in the west.
And on top of it they don't have the cooperation of their allies in most cases
to help advance their tech. Then on top of all that a lot of what they know is
stolen instead of learned so when you don't really understand the tech to
begin with, it's very difficult to make advances to it. It would be like me, a
non-programmer, but great scripter getting c source code that has no
documentation and being asked to add a feature to the program.

~~~
dogma1138
“APTs” are somewhat of a misnomer they are not usually that advanced but they
are always persistent they relentlessly go after soft targets and there are
way more of them than people realize, especially in the west due to the age
and scale of both organizations and IT systems and the fact that these are
much more commonly operated directly or supported by dozens of civilian
contractors and sub-contractors which their practices are much harder to
manage.

Ironically it would probably be easier to run a secure network in North Korea
or Iran than in the US simply because of how those societies and their own
military/government-industrial complexes are structured.

Its always a question of resources, encrypting the payload won’t prevent
discovery, and if it’s not some super valuable zero day there is no point of
doing that. Spending 1000’s of man hours on zero day research is nice when you
have an abundance of resources but utterly useless when you don’t since your
entire way in is dependent on something that can be patched out or signature
blocked at the perimeter within days if not hours.

However going after people and soft targets is a completely different story it
can be easily executed, the signature is low, direct attribution is limited
and it can be easily scaled up. You can write processes and procedures that
instruct operators exactly what to do which means that in a relatively short
timeframe you can have 100’s and 1000’s of mechanical Turks trying to find a
way in. This is the equivalent of lock picking a brand new Mercedes in the
parking lot vs simply going around and looking for an unlocked car.

The first option requires more skill and arguably is more risky since it
exposes your activity for a longer duration, the latter can be performed by
anyone and at the end of the day yield more fruitful results if all you want
is a few hangbags and some cash from the glove compartment.

And Iran isn’t unique I would wager you that this is the way that western
intelligence agencies operate too for the most part, the super top secret NSA
stuff you see when leaked is executed against targets that can’t be accessed
via other means.

Because even tho the NSA has much more money their resources aren’t unlimited
and their talent pool doesn’t consist of zero day rainmen that can cause a
core dump just by looking at a computer.

The only major difference would be that organizations like the NSA have
developed better tooling for these mechanical Turk style of operations but I
can guarantee you they aren’t going to be burning zero-days or running super
complex exploits and C&C infrastructure if they don’t need too, those are
reserved for high value targeted attacks.

On a national / strategic level it’s also makes a lot of sense.

Building offensive cyber capabilities that are extremely costly and requires
exceptional talent is risky, especially for a country like Iran.

It doesn’t have as much resources and more importantly maintaining talent is
hard both for the reasons you mentioned but also because western counter
intelligence can much more easily take them off the board than the other way
around.

If Iran’s entire offensive cyber capability would rely on a handful of
project-zero level talents then it could easily be wiped out by the US, UK,
Israel and other western powers and not necessarily by brute force, bribing
people that are extremely hard and costly to replace is just as effective as a
magnetized bomb strapped to their Peugeot by a motorcyclist at a traffic
light.

And the more complex and advanced something is the harder it is to rebuild
from scratch, on the other hand you can probably eliminate 80% of their
current operatives and they’ll rebuild their capabilities back to current
strength within a year.

This is the nature of and the leading principle behind asymmetric warfare.
Seal Team Six is nice, but it costs millions and takes the better part of a
decade to create a single operator, cocked up brainwashed suicide bombers
however can be just as effective as long as you can get one of them close
enough.

------
stunt
So assuming these was all on private space, it’s interesting that IBM has read
customers data! Or, maybe these particular servers were only monitored because
they are associated to hacking groups?

------
jessmay
Thoughts on what advantage you get from know which tools your adversaries are
using as good targets to inject with backdoors assuming state actor resources?

