Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

12/3/2014
02:00 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
100%
0%

With Operation Cleaver, Iran Emerges As A Cyberthreat

A hacker group's actions suggest that it is laying the groundwork for a future attack on critical infrastructure targets.

Iran has never been considered quite as much of a cyberthreat to the US as China and Russia have been in recent years. That could be a mistake.

A report released this week by Cylance suggests that state sponsored cybergroups in Iran can be just as dangerous as some of their better-regarded counterparts in other countries.

Over the past two years, researchers at Cylance have been following a hacker group dubbed Operation Cleaver that they believe has quietly infiltrated about 50 companies in critical infrastructure industries in 16 countries. The group's victims have included companies in the oil and gas sector, the energy industry, airports and the transportation sector, government and defense, and the telecommunications and technology industries.

About 10 of the victims are based in the US and include a major airline, an energy company, a medical university, and an automobile manufacturer. Many of the other firms targeted by the group are based in Middle Eastern countries like Kuwait, the United Arab Emirates, Saudi Arabia, and Qatar. Cylance also found a significant number of victims in Canada, Germany, England, France, India, Israel, Pakistan, and Turkey.

Cylance believes there's a strong likelihood there are more victims out there that the company does not know about.

What makes Operation Cleaver noteworthy is not just what the group has done so far, but also what it hasn't done, said Jon Miller, vice president of strategy at Cylance.

Like many other criminal groups in recent years, Operation Cleaver -- a moniker Cylance chose because the term appears frequently in the group's code -- has broken into systems containing a lot of confidential data, trade secrets, and intellectual property at the companies it has infiltrated.

But unlike their Russian and Chinese counterparts, which tend to grab IP and financial data where they can, the Iranian group has mostly avoided stealing such data, Miller said. Instead it has focused on gathering as much information as it can about network topologies, sensitive employee information and schedule details, identification photos, and documents pertaining to housing, telecom, and electricity infrastructures.

The pattern of compromise and the nature of the data being exfiltrated suggest that the group is scoping networks and conducting reconnaissance on them as if in preparation for a major assault at some point in the future.

The group's compromise of networks and systems in airlines and airports in South Korea, Saudi Arabia, and Pakistan is particularly troubling, Cylance said in its report. "The level of access seemed ubiquitous: Active Directory domains were fully compromised, along with entire Cisco Edge switches, routers, and internal networking infrastructure."

In some cases, the Iranian group gained complete control of the remote access infrastructures and supply chains at these organizations. In one airport, the group achieved complete access to airport gates and security control systems, potentially allowing members to spoof gate credentials.

"What they are doing right now is getting as much information as they can on as many critical infrastructure industries as they can," Miller said. "It gives them the capability to affect a very serious breach of cyber security."

For the most part, the tactics used by the group to infiltrate networks are similar to those employed by other groups. The tactics have included SQL injection attacks, spear phishing, and water holing attacks using a combination of custom-designed and publicly available malware tools.

The 20-person group, which masquerades as a construction engineering firm in Tehran, has grown considerably in sophistication over the time that Cylance has been tracking it, Miller said. The increasing sophistication of its malware code and its obfuscation techniques prompted Cylance to go public with its findings.

John Hultquist, cyber espionage practice lead at iSight Partners, which reported this year on another Iranian cyberthreat dubbed Newscaster, shared Cylance's assessment of Operation Cleaver's success at infiltrating critical infrastructure networks. But he differed somewhat in his assessment of the group's technical sophistication.

He said that iSight has been tracking Operation Cleaver for some time, as well, but under another name. From what iSight been observed so far, Cleaver appears to be a modestly funded, modestly resourced group with average skills that has nonetheless had a lot of success compromising critical systems. Many of the tools used by the group are openly available, and the attack methods themselves have been fairly common.

What it has been good at is in lying low and carrying out most of its operations clandestinely, Hultquist said. "They have made headway into very sensitive areas where they can do a lot of damage. We do have some concerns that they are carrying out reconnaissance for a major attack."

Find out how vulnerable ICS and SCADA systems are in Infographic: 70 Percent of World's Critical Utilities Breached.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/21/2020
Hacking Yourself: Marie Moe and Pacemaker Security
Gary McGraw Ph.D., Co-founder Berryville Institute of Machine Learning,  9/21/2020
Startup Aims to Map and Track All the IT and Security Things
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/22/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-13991
PUBLISHED: 2020-09-24
vm/opcodes.c in JerryScript 2.2.0 allows attackers to hijack the flow of control by controlling a register.
CVE-2020-15160
PUBLISHED: 2020-09-24
PrestaShop from version 1.7.5.0 and before version 1.7.6.8 is vulnerable to a blind SQL Injection attack in the Catalog Product edition page with location parameter. The problem is fixed in 1.7.6.8
CVE-2020-15162
PUBLISHED: 2020-09-24
In PrestaShop from version 1.5.0.0 and before version 1.7.6.8, users are allowed to send compromised files. These attachments allowed people to input malicious JavaScript which triggered an XSS payload. The problem is fixed in version 1.7.6.8.
CVE-2020-15843
PUBLISHED: 2020-09-24
ActFax Version 7.10 Build 0335 (2020-05-25) is susceptible to a privilege escalation vulnerability due to insecure folder permissions on %PROGRAMFILES%\ActiveFax\Client\, %PROGRAMFILES%\ActiveFax\Install\ and %PROGRAMFILES%\ActiveFax\Terminal\. The folder permissions allow "Full Control" t...
CVE-2020-17365
PUBLISHED: 2020-09-24
Improper directory permissions in the Hotspot Shield VPN client software for Windows 10.3.0 and earlier may allow an authorized user to potentially enable escalation of privilege via local access. The vulnerability allows a local user to corrupt system files: a local user can create a specially craf...