The most telling element of the video, Wikoff says, is the speed the hacker demonstrates in exfiltrating the accounts’ information in real-time. The Google account’s data is stolen in around four minutes. The Yahoo account takes less than three minutes. In both cases, of course, a real account populated with tens or hundreds of gigabytes of data would take far longer to download. But the clips demonstrate how quickly that download process is set up, Wikoff says, and suggest that the hackers are likely carrying out this sort of personal data theft on a mass scale. “To see how adept they are at going in and out of all these different webmail accounts and setting them up to exfiltrate, it is just amazing,” says Wikoff. “It’s a well-oiled machine.”
In some cases, IBM’s researchers could see in the video that the same dummy accounts were also themselves being used to send phishing emails, with bounced emails to invalid addresses appearing in the accounts’ inboxes. The researchers say those bounced emails revealed some of the APT35 hackers’ targeting, including American State Department staff as well as an Iranian-American philanthropist. It’s not clear if either target was successfully phished. The dummy Yahoo account also briefly shows the phone number linked with it, which begins with Iran’s +98 country code.
In other videos the IBM researchers declined to show to WIRED, the researchers say the hackers appeared to be combing through and exfiltrating data from real victims’ accounts, rather than ones they created for training purposes. One victim was a member of the US Navy, and another was a two-decade veteran of the Greek Navy. The researchers say the APT35 hackers appear to have stolen photos, emails, tax records, and other personal information from both targeted individuals.
In some clips, the researchers say they observed the hackers working through a text document full of usernames and passwords for a long list of non-email accounts, from phone carrier to bank accounts, as well as some as trivial as pizza delivery and music streaming services. “Nothing was off-limits,” Wikoff says. The researchers note that they didn’t see any evidence that the hackers were able to bypass two-factor authentication, however. When an account was secured with any second form of authentication, the hackers simply moved on to the next one on their list.
The sort of targeting that IBM’s findings reveal fits with previous known operations tied to APT35, which has carried out espionage on behalf of Iran for years, most often with phishing attacks as its first point of intrusion. The group has focused on government and military targets that represent a direct challenge to Iran, such as nuclear regulators and sanctions bodies. More recently it has aimed its phishing emails at pharmaceutical companies involved in Covid-19 research and President Donald Trump’s reelection campaign.