A group of Iranian hackers has been caught red-handed demonstrating how to break into email accounts and steal data.
Researchers at IBM's X-Force security team have obtained roughly five hours of video footage that appears to have been recorded directly from the screens of hackers.
The hackers are working for a group IBM calls ITG18, and which other security firms refer to as APT35 or Charming Kitten.
The group is one of the most active state-sponsored espionage teams linked to the government of Iran.
'This kind of thing is a rare win for the defenders,' said Emily Crose, a former NSA employee now working as a security researcher for industrial control system security firm Dragos.
'It's like playing poker, and having your opponents lay their entire hand out flat on the table in the middle of the last flop.'
Researchers at IBM's X-Force security team uncovered the Iran-backed hack from May
The leaked videos, seen by Wired, were found among 40 gigabytes of data that the hackers had apparently stolen from victim accounts, including US and Greek military personnel.
The data also suggested that the hackers targeted US State Department staff and an unnamed Iranian-American philanthropist.
The files were all uploaded by accident in May to an exposed server, just as IBM was monitoring the machine.
The videos appear to be training demonstrations the Iran-backed hackers made to show junior team members how to handle hacked accounts.
They show the hackers accessing compromised Gmail and Yahoo Mail accounts to download their contents, and siphoning off other Google-hosted data from victims.
Cybersecurity experts said the unmasking of the Iranians at work was unprecedented.
'We don't get this kind of insight into how threat actors operate really ever,' says Allison Wikoff, a senior analyst at IBM X-Force whose team discovered the videos.
She told Wired: 'When we talk about observing hands-on activity, it's usually from incident response engagements or endpoint monitoring tools.
'Very rarely do we actually see the adversary on their own desktop. It's a whole other level of "hands-on-keyboard" observation.'
Emails were hacked into in Yahoo and Google accounts and the data siphoned off in minutes
ITG18, also known as APT35 or Charming Kitten, is one of the most active state-sponsored espionage teams linked to the government of Iran
The researchers say the APT35 hackers appear to have stolen photos, emails, tax records, and other personal information from both targeted individuals.
In some clips, the researchers say they observed the hackers working through a text document full of usernames and passwords for a long list of non-email accounts, from phone carrier to bank accounts.
Wikoff said they were astonished at how quickly the hackers worked.
The Google account's data was stolen in around four minutes, and a Yahoo account took less than three minutes.
'To see how adept they are at going in and out of all these different webmail accounts and setting them up to exfiltrate, it is just amazing,' she said.
'It’s a well-oiled machine.'
They did not, however, expect their findings to stop the group from hacking.