When our intel team talks about human error, we usually focus on the victim of a security incident. But in the investigation we ran in the past year, we flipped the script to highlight how the continued operational security errors of a prolific, state-sponsored threat group reveal intimate details of their entire operation.
Through very simple but persistent mistakes made by the adversary, likely based in Iran, we continued to learn the innermost details of the operations of a group we track as ITG18, better known as "Charming Kitten". This group targeted pivotal individuals, including US politicians, nuclear scientists, journalists, and people involved in COVID vaccine development, recording the victims' most private chats, emails, and even photos.
In our talk, we will reveal how an ITG18 operator set up their machine and various personas, hence 9 lives, to run adversarial operations and manage stolen data. We will go over TTPs of an ITG18 campaign and expose suspected initial access vectors for the audience to better understand how ITG18 compromises targets. Additionally, we will highlight ITG18's new Android malware that they use to infect victims they follow on a daily basis. We named this code "LittleLooter" which we will discuss at the conference for the first time.
To get a better sense of ITG18 operational cadence, we will show two of the ITG18 training videos discovered during our research. These specifically cover how ITG18 configures the compromised personal email accounts of their victims to maintain access to their accounts without being detected, how ITG18 exfils information from their victims and how they expand on the compromises with the stolen data.
We will close this talk with some thoughts about ITG18's future operations, including how they respond to public disclosure and how organizations and individuals can better defend themselves against this group.