Menu
Iranian hackers compromised airlines, airports, critical infrastructure companies

Iranian hackers compromised airlines, airports, critical infrastructure companies

An Iranian cyberattack campaign dubbed Operation Cleaver compromised over 50 organizations worldwide, researchers from Cylance said

For the past two years, a team of Iranian hackers has compromised computers and networks belonging to over 50 organizations from 16 countries, including airlines, defense contractors, universities, military installations, hospitals, airports, telecommunications firms, government agencies, and energy and gas companies.

The attacks have collectively been dubbed Operation Cleaver after a string found in various malware tools used by the hacker group, which is believed to operate primarily out of Tehran.

"We discovered over 50 victims in our investigation, distributed around the globe," said researchers from IT security firm Cylance in an extensive report released Tuesday. "Ten of these victims are headquartered in the US and include a major airline, a medical university, an energy company specializing in natural gas production, an automobile manufacturer, a large defense contractor, and a major military installation."

Other victims were identified in Canada, China, England, France, Germany, India, Israel, Kuwait, Mexico, Pakistan, Qatar, Saudi Arabia, South Korea, Turkey and the United Arab Emirates.

The attackers used publicly available attack tools and exploits, as well as specialized malware programs they created themselves. Cylance believes the team consists of at least 20 hackers and developers who support Iranian interests and were probably recruited from the country's universities.

"The infrastructure utilized in the campaign is too significant to be a lone individual or a small group," the Cylance researchers said. "We believe this work was sponsored by Iran."

The type of access the hackers obtained inside various organizations and the data they stole varied widely. In the case of universities, they targeted research data, student information, student housing, as well as identifying information, pictures and passports. In the case of critical infrastructure companies, they stole sensitive information that could allow them or affiliated organizations to sabotage industrial control systems and SCADA (supervisory control and data acquisition) environments, the Cylance researchers said.

No evidence of such sabotage by the group exists so far, but Cylance believes this could be the campaign's end goal, as retaliation by Iran for the Stuxnet, Duqu and Flame malware attacks. Stuxnet, which is viewed as the world's first cyberweapon, is believed to have been created by the U.S. and Israel to sabotage Iran's uranium enrichment efforts and set back its nuclear program.

"Perhaps the most bone-chilling evidence we collected in this campaign was the targeting and compromise of transportation networks and systems such as airlines and airports in South Korea, Saudi Arabia and Pakistan," the Cylance researchers said. "The level of access seemed ubiquitous: Active Directory domains were fully compromised, along with entire Cisco Edge switches, routers, and internal networking infrastructure."

"They achieved complete access to airport gates and their security control systems, potentially allowing them to spoof gate credentials," the researchers said. "They gained access to PayPal and Go Daddy credentials allowing them to make fraudulent purchases and allowed unfettered access to the victim's domains. We witnessed a shocking amount of access into the deepest parts of these companies and the airports in which they operate."

The Iranian hacker team has been dubbed Tarh Andishan -- translated into English as "thinkers" or "innovators" -- because some of its operations were traced back to blocks of IP (Internet Protocol) addresses registered to an entity called Tarh Andishan in Tehran.

"The net blocks above have strong associations with state-owned oil and gas companies," the Cylance researchers said. "These companies have current and former employees who are ICS [industrial control system] experts."

The Tarh Andishan hackers used common SQL injection, spear phishing or watering hole attacks to gain initial access to one or more computers of a targeted organization. They then used privilege escalation exploits and other tools to compromise additional systems and move deeper inside its network. However, no zero-day exploits, which are exploits for previously unknown vulnerabilities, were observed.

The group's primary tool is a custom Trojan program called TinyZBot that was created by its developers. However, Cylance has released more than 150 tools, malware samples and indicators of compromise associated with the group's activity in order to help the security industry detect existing and future Operation Cleaver compromises.

"The Operation Cleaver report documents how Iran is the first highly motivated Western world adversary poised to execute serious attacks against global infrastructure, not just targeting the United States, but the critical infrastructure of over a dozen different countries," said Stuart McClure, Cylance's CEO and President, in a blog post. "They aren't looking for credit cards or microchip designs, they are fortifying their hold on dozens of networks that if crippled would affect the lives of billions of people."


Follow Us

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags malwarespywareintrusionCylance

Featured

Slideshows

Leading female front runners of the Kiwi ICT industry honoured at 2019 WIICTA

Leading female front runners of the Kiwi ICT industry honoured at 2019 WIICTA

Reseller News has honoured the leading female front runners of the New Zealand ICT industry at the 2019 Women in ICT Awards (WIICTA) in Auckland. The awards recognised standout individuals across six categories, spanning Entrepreneur, Rising Star, Shining Star, Community, Technical and Achievement. Photos by Gino Demeer.

Leading female front runners of the Kiwi ICT industry honoured at 2019 WIICTA
Reseller News kicks off awards season in 2019 with Judges' Lunch

Reseller News kicks off awards season in 2019 with Judges' Lunch

The 2019 Reseller News Innovation Awards has kicked off with the Judges Lunch in Auckland with 70 judges in the voting panel. The awards will reflect the changing dynamics of the channel, recognising excellence across customer value and innovation - spanning start-ups, partners, distributors and vendors. Photos by Christine Wong.

Reseller News kicks off awards season in 2019 with Judges' Lunch
Reseller News welcomes industry figures for 2019 Hall of Fame lunch

Reseller News welcomes industry figures for 2019 Hall of Fame lunch

Reseller News welcomed 2018 inductees - Chris Simpson, Kendra Ross and Phill Patton - to the third running of the Reseller News Hall of Fame lunch, held at the French Cafe in Auckland. The inductees discussed the changing landscape of the technology industry in New Zealand, while outlining ways to attract a new breed of players to the ecosystem. Photos by Gino Demeer.

Reseller News welcomes industry figures for 2019 Hall of Fame lunch
Show Comments