Operation Cleaver – Iranian hackers target industries worldwide

Security firm Cylance revealed that Iranian hackers target airlines, energy, defense companies worldwide as part of the Operation Cleaver campaign.

Security firm Cylance released a detailed report on the hacking Operation Cleaver that was run by state-sponsored hackers linked to the Iran. The Iranian hackers targeted critical infrastructure worldwide, ten of which are located in the United States.

Experts at Cylance are cautions regarding the motivation behind the attacks on SCADA systems networks, they propend for a retaliation for Stuxnet and other campaign that hit the country. The exfiltrated data could be used by hackers to run further attacks for sabotage.

“Within our investigation, we had no direct evidence of a successful compromise of specific Industrial Control Systems (ICS) or Supervisory Control and Data Acquisition (SCADA) networks, but Cleaver did exfiltrate extremely sensitive data from many critical infrastructure companies allowing them to directly affect the systems they run,” Cylance said in its report. “This data could enable them, or affiliated organizations, to target and potentially sabotage ICS and SCADA environments with ease.”

The list of targets identified by the researchers at Cylance is very long and includes at least one military entity in the U.S. by name, the Navy Marine Corps Intranet (NMCI) and organizations in several industries such as energy and utilities.

“We discovered over 50 victims in our investigation, distributed around the globe. “

Despite the attribution is hard in these cases, the experts at Cylancea have found number of domains used in the various attacks that were registered to an Iranian corporation Tarh Andishan. The researchers also discovered that the ASNs and the netblocks are directly linked to the Iranian authorities, meanwhile the infrastructure exploited for the attacks is hosted by the Iranian hosting provider Netafraz.

“They have bigger intentions: to position themselves to impact critical infrastructure globally,” states the report “We believe that if the operation is left to continue unabated, it is only a matter of time before the world’s physical safety is impacted by it. While the disclosure of this information will be a detriment to our ability to track the activity of this group, it will allow the security industry as a whole to defend against this threat.”

An article published on The DailyMail refers a senior Iranian official who dismissed the report.

“This is a baseless and unfounded allegation fabricated to tarnish the Iranian government image, particularly aimed at hampering current nuclear talks,” commented Hamid Babaei, spokesman for Iran’s mission to the United Nations.

The report also reveals that airports, principal airlines, government agencies, transportation companies, telecommunications operators, defense contractors and educational institutions are among the targeted institutions.

The experts revealed that during the period of observation, the threat actors have rapidly improved their cyber capabilities.

 “During intense intelligence gathering over the last 24 months, we observed the technical capabilities of the Operation Cleaver team rapidly evolve faster than any previously observed Iranian effort. As Iran’s cyber warfare capabilities continue to morph, the probability of an attack that could impact the physical world at a national or global level is rapidly increasing,” states the Cylance report.

The threat actors behind the Operation Cleaver uses a mix of off-the-shelf SQL injection attacks and exploits for several Microsoft vulnerabilities, including  MS08-067 was also used by hackers in the popular Red October campaign.

The hacker adopted TTPs similar to the ones used by other APTs operating for foreign governments, including China and Russia. The Operation Cleaver crew also have customized tools in its arsenal that have been discovered by investigators. Customized tools allow data exfiltration, syphoning of victim’s credentials, network sniffing, keylogging and backdooring of targets.

Experts at Cylance have analyzed nearly 8 gigabytes of data, more than 80,000 files exfiltrated from victims and they also discovered bas actors’ tools. The experts were also able to trace the malware used by the attackers through sinkholing of the command and control servers used in the Operation Cleaver campaign. It’s interesting to note that to has reported in the report no zero-day exploits have been discovered in the arsenal of the attackers.

Cylance is releasing more than 150 IOCs and samples associated with the Operation Cleaver to allow rapid detection of the activities of the group.

I desire to close the post reporting a couple of fascinating speculations in the document that highlight the how Iran is trying to improve its cyber capabilities.

• There is an intense focus on CIKR companies in South Korea, which could give Iran additional clout in their burgeoning partnership with North Korea. In September 2012, Iran signed an extensive agreement for technology cooperation agreement with North Korea, which would allow for collaboration on various efforts including IT and security.
• Iran is recruiting from within the universities and potentially using ‘hackers for hire’.

Pierluigi Paganini

(Security Affairs –  Operation Cleaver, Iran)