Menu
Iranian hackers compromised airlines, airports, critical infrastructure companies

Iranian hackers compromised airlines, airports, critical infrastructure companies

An Iranian cyberattack campaign dubbed Operation Cleaver compromised over 50 organizations worldwide, researchers from Cylance said

For the past two years, a team of Iranian hackers has compromised computers and networks belonging to over 50 organizations from 16 countries, including airlines, defense contractors, universities, military installations, hospitals, airports, telecommunications firms, government agencies, and energy and gas companies.

The attacks have collectively been dubbed Operation Cleaver after a string found in various malware tools used by the hacker group, which is believed to operate primarily out of Tehran.

"We discovered over 50 victims in our investigation, distributed around the globe," said researchers from IT security firm Cylance in an extensive report released Tuesday. "Ten of these victims are headquartered in the US and include a major airline, a medical university, an energy company specializing in natural gas production, an automobile manufacturer, a large defense contractor, and a major military installation."

Other victims were identified in Canada, China, England, France, Germany, India, Israel, Kuwait, Mexico, Pakistan, Qatar, Saudi Arabia, South Korea, Turkey and the United Arab Emirates.

The attackers used publicly available attack tools and exploits, as well as specialized malware programs they created themselves. Cylance believes the team consists of at least 20 hackers and developers who support Iranian interests and were probably recruited from the country's universities.

"The infrastructure utilized in the campaign is too significant to be a lone individual or a small group," the Cylance researchers said. "We believe this work was sponsored by Iran."

The type of access the hackers obtained inside various organizations and the data they stole varied widely. In the case of universities, they targeted research data, student information, student housing, as well as identifying information, pictures and passports. In the case of critical infrastructure companies, they stole sensitive information that could allow them or affiliated organizations to sabotage industrial control systems and SCADA (supervisory control and data acquisition) environments, the Cylance researchers said.

No evidence of such sabotage by the group exists so far, but Cylance believes this could be the campaign's end goal, as retaliation by Iran for the Stuxnet, Duqu and Flame malware attacks. Stuxnet, which is viewed as the world's first cyberweapon, is believed to have been created by the U.S. and Israel to sabotage Iran's uranium enrichment efforts and set back its nuclear program.

"Perhaps the most bone-chilling evidence we collected in this campaign was the targeting and compromise of transportation networks and systems such as airlines and airports in South Korea, Saudi Arabia and Pakistan," the Cylance researchers said. "The level of access seemed ubiquitous: Active Directory domains were fully compromised, along with entire Cisco Edge switches, routers, and internal networking infrastructure."

"They achieved complete access to airport gates and their security control systems, potentially allowing them to spoof gate credentials," the researchers said. "They gained access to PayPal and Go Daddy credentials allowing them to make fraudulent purchases and allowed unfettered access to the victim's domains. We witnessed a shocking amount of access into the deepest parts of these companies and the airports in which they operate."

The Iranian hacker team has been dubbed Tarh Andishan -- translated into English as "thinkers" or "innovators" -- because some of its operations were traced back to blocks of IP (Internet Protocol) addresses registered to an entity called Tarh Andishan in Tehran.

"The net blocks above have strong associations with state-owned oil and gas companies," the Cylance researchers said. "These companies have current and former employees who are ICS [industrial control system] experts."

The Tarh Andishan hackers used common SQL injection, spear phishing or watering hole attacks to gain initial access to one or more computers of a targeted organization. They then used privilege escalation exploits and other tools to compromise additional systems and move deeper inside its network. However, no zero-day exploits, which are exploits for previously unknown vulnerabilities, were observed.

The group's primary tool is a custom Trojan program called TinyZBot that was created by its developers. However, Cylance has released more than 150 tools, malware samples and indicators of compromise associated with the group's activity in order to help the security industry detect existing and future Operation Cleaver compromises.

"The Operation Cleaver report documents how Iran is the first highly motivated Western world adversary poised to execute serious attacks against global infrastructure, not just targeting the United States, but the critical infrastructure of over a dozen different countries," said Stuart McClure, Cylance's CEO and President, in a blog post. "They aren't looking for credit cards or microchip designs, they are fortifying their hold on dozens of networks that if crippled would affect the lives of billions of people."

Follow Us

Join the New Zealand Reseller News newsletter!

Error: Please check your email address.

Tags Cylanceintrusionsecurityphysical securityspywaremalware

Slideshows

Top 50 defining moments of the New Zealand channel in 2016

Top 50 defining moments of the New Zealand channel in 2016

Reseller News looks back on a tumultuous 12 months for the New Zealand channel, assessing the fallout from a year of sizeable industry change. Whether it be local or global mergers and acquisitions, distribution deals or job changes, the channel that started the year differs somewhat to the one set to finish it - Reseller News assesses the key moments that made 2016.​

Top 50 defining moments of the New Zealand channel in 2016
​Hewlett Packard Enterprise honours high achieving NZ channel

​Hewlett Packard Enterprise honours high achieving NZ channel

Hewlett Packard Enterprise honoured its top performing Kiwi partners at the second running of its HPE Partner Awards in New Zealand, held at a glitzy ceremony in Auckland. Recognising excellence across eight categories - from distributors to resellers - the tech giant celebrated its first year as a standalone company, following its official split from HP in 2015.

​Hewlett Packard Enterprise honours high achieving NZ channel
Nutanix treats channel partners to Christmas cruise

Nutanix treats channel partners to Christmas cruise

Nutanix recently took to the seas for a Christmas Cruise around Sydney Harbour with its Australia and New Zealand staff, customers and partners to celebrate a stellar year for the vendor. With the sun out, they were all smiles and mingled over drinks and food.

Nutanix treats channel partners to Christmas cruise
Show Comments