Operation Cleaver — Iranian Hackers Targeting Critical Infrastructure Worldwide; Could Be Laying The Groundwork For A Future – High Impact Cyber Attack
“For the past two years, Iranian hackers have infiltrated the computer networks od some of the world’s top organizations, including airlines, defense contractors, universities, military installations, hospitals, airports, telecommunications firms, government agencies, and energy and gas companies,” according to a newly published report by the cyber security firm Cylance. The report claims that “Iranian state-sponsored hackers have hacked critical infrastructure of more than 50 companies, in 16 countries worldwide — in a cyber espionage campaign that could allow them to eventually cause physical damage. Swati Khandelwal, writing on the December 4, 2014 website, TheHackerNews.com, writes that “among the targeted organizations, ten are reportedly based in the United States.”
“The [cyber] detection threat firm dubbed the campaign, Operation Cleaver, which is aimed at gathering data from various agencies,” Mr. Khandelwal wrote. “The group reportedly stole sensitive information; and, took control of networks in Canada, China, England, France, Germany, India, Israel, Kuwait, Mexico, Pakistan, Qatar, Saudi Arabia, South Korea, Turkey, the UAE, and the United States.”
Cylance believes this ‘campaign’ is payback for the Stuxnet worm, as well as Flame and Duqu — reportedly developed jointly by the U.S. and Israel — which wreaked havoc on Iran’s nuclear centrifuges at Natanz in 2012. Mr. Khandelwal adds that “in Operation Cleaver, the group uses its own custom software to hack into critical infrastructure; and elicited highly sensitive, confidential information from some of its victims.” The hackers “used SQL Injection, spear phishing, water-holing attacks, and other methods — in order to compromise the networks.”
“We believe that if the operation is left to continue unabated, it is only a matter of time before the world’s physical safety is impacted,” the report said. “While the disclosure of this information will be a detriment to our ability to track the activity of this group, it will allow the security industry as a whole — to defend against this threat.”
According to Cylance, the Iranian sponsored hacking group has only focused on gathering intelligence; but, it has the capability to launch [offensive] cyber attacks as well. Mr. Khandelwal notes that the company did not name the companies that had been breached, Reuters News Service reported that California power company – Calpine Corp., Saudi Arabia’s petroleum and gas company – Aramco – Mexican state-owned Petroleos Mexicanos or Pemex, Qatar Airlines, and Korean Air were among those whom Iranian hackers had successfully penetrated.” The Iranians no doubt shared this purloined information with North Korea — at a minimum — and perhaps others as well.
“The group’s compromise of networks and systems in airlines and airports in South Korea, Saudi Arabia, and Pakistan is particularly troubling,” Cylance said. “The level of access seemed ubiquitous: Active Directory domains were fully compromised, along with entire CISCO Edge switches, routers, and internal networking infrastructure.” More worrisome, “in some cases, the Iranian group gained complete control of the remote access infrastructure, and supply chains at these organizations. In one airport, the group achieved complete access to airport gates, and security control systems — potentially allowing members to spoof gate credentials”
An Iranian spokesman, Hamid Babaei, denounced the Cylance report as a “baseless and unfounded allegation…fabricated to tarnish the Iranian government image,” and in particular, “was aimed at hampering current the P-5 +1 nuclear talks over the future of Iran’s nuclear program.
The Cylance report warns that “Iranian hackers have collected a lot of information so far,” after the company’s researchers gained access to ‘some of the hackers’ infrastructure — finding “massive databases of user credentials and passwords, as well as diagrams, and screenshots from organizations…including energy, transportation, aerospace companies, and universities.”
“During intelligence gathering over the last 24 months, we observed the technical capabilities of the Operation Cleaver team rapidly evolve faster than any previously observed Iranian effort. As Iran’s cyber warfare capabilities continue to morph, the probability of an attack that could impact the physical world at a national, or global level is rapidly increasing,” the report concluded. The cyber security website DarkReading.com went a step further; and, warned that Iran could be laying the groundwork for a future — high-impact cyber attack.
“What makes Operation Cleaver noteworthy, is not just what the group has done so far; but, also what it hasn’t done ,” said John Miller, Vice President of Strategy at Cylance. “Unlike their Russian and Chinese counterparts, which tend to grab IP and financial data where they can,” Miller said. “Instead, the Iranian group has focused on gathering as much information as it can about network topologies, sensitive employee information, schedule details, identification photos; and, documents pertaining to housing, telecom, and electricity infrastructures.” The sensitive employee information could be used by Iranian intelligence for potential blackmail purposes — if there is anything particularly derogatory in them.
“The pattern of the compromise, and the nature of the data being exfiltrated, suggest that the group is scoping networks and conducting reconnaissance on them — as if in preparation for a major [cyber attack] assault at some future point,” the Cylance report concluded. “The increasing sophistication of the malware and code used by the group, as well as its obfuscation techniques,” prompted Cylance to go public with its findings Mr. Miller said.
And, now that these companies know about this breach — how do they know when/if their IT ecosystem is really “free” and rid of these malicious bugs? How many stay-behinds remain — and continue to be — “the gift that keeps on giving?” V/R, RCP