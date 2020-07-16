Three of the video files discovered reveal that ITG18 had successfully compromised several accounts associated with an enlisted member of the United States Navy as well as an officer in the Hellenic Navy. Specifically, ITG18 had credentials for a number of what appear to be their personal email and social media accounts – a common characteristic of ITG18, as observed in previous operations.

The videos show the operator following a similar playbook to the training videos involving the persona accounts. Once successful access to victims’ accounts was gained, the ITG18 operator actively deleted notifications sent to the compromised accounts suggesting suspicious logins, presumably as to not alert the victims.

The operator exported all account contacts, photos, documents from associated cloud storage sites, such as Google Drive, before adding the webmail account credentials to Zimbra, presumably for monitoring. The operator was also able to sign into victims’ Google Takeout (takeout.google.com), which allows a user to export content from their Google Account, to include location history, information from Chrome, and associated Android devices.

This included gaining access to associated other accounts owned by the victims, illustrating the breadth of information that ITG18 was able to collect on the two military members. Amongst the personal files exfiltrated on the U.S. Navy enlisted member were details on the military unit they were associated with including the Naval base they were affiliated with. The operator collected a significant amount of personal information about this victim including presumed residence, personal photos including numerous selfies and a video of a home being staged, tax records and the contents of a personal cloud storage site (See Figure 4). Similar information was exfiltrated for the Hellenic Navy officer, including information from a Gmail account, an account associated with a Greek university and a Hellenic Navy payroll site.