A vast number of western organisations have been breached by hackers operating out of Iran, according to researchers at Cylance, a security startup. The victims include military, energy firms, airlines and airports, hospitals, governments and their contractors in the US, the UK and beyond, the Operation Cleaver report read. And the level of access at some of the compromised critical organisations was described as "bone-chilling".
It would appear Iran is growing its capability to the point where “the probability of an attack that could impact the physical world at a national or global level is rapidly increasing”, the report added. US researchers have repeatedly claimed the Middle Eastern nation has expanded its cyber divisions at a startling pace since the uncloaking of Stuxnet, malware thought to have been forged in the labs of US and Israeli computer labs that sought to cause disruption to Iranian nuclear development. Now, Iran’s hackers are seeking to establish a “beachhead for cyber sabotage” in response, the study suggested.
Some crucial details led Cylance to link the Cleaver attacks to Iran. Infrastructure used by the attackers was registered in Iran to a corporate entity called Tarh Andishan, which translates to ‘invention’ or ‘innovation’ in Farsi, the company said, and was hosted at Netafraz.com, an Iranian provider out of Isfahan.
Cleaver logo, Cylance
These details alone could not guarantee attribution and Eric Cornelius, director of critical infrastructure and industrial control systems at Cylance, admitted the company could not say for sure these hackers were state-sponsored. He said it was “certainly possible” another nation state could set up a decoy operation.
But whilst hacker groups could try to host their operations in Iran, in order to dissimulate and avoid detection, the list of targets would point to an Iranian actor. “This all seems to point in one direction,” Cornelius added.
The only named victim of the Cleaver team, believed to be at least 20 coders strong, was the US Navy, which saw its shore-based enterprise network attacked in 2012. Documents related to critical infrastructure were stolen by the Cleaver crew from various academic institutions, whilst logistics information was compromised at major airlines, airports and transportation companies.
Cylance warned the attacks could “affect airline passenger safety”. They found that hackers had almost ubiquitous access to systems at the compromised airports in South Korea, Saudi Arabia and Pakistan. Meanwhile, the hackers appeared to be targeting power plants and other critical infrastructure, just as Stuxnet did. “Critical infrastructure is vulnerable and is an attractive target. We as a nation need to do something about,” Cornelius added.
Of the 50 or more victims ensnared by the Cleaver campaign, most were based in western countries, including the US, the UK, Canada and South Korea, though one aerospace firm in China was also targeted.
The techniques used by Cleaver were typical of a nation state sponsored actor. So-called watering hole attacks where websites were set up to chuck malware at targets, SQL injection attacks stole data from target websites, social engineering tried to trick employees out of their credentials or into clicking on malicious links that would lead to an infection on their network. In one case, they registered the domain EasyResumeCreatorPro.com - a direct copy of a legitimate website at winresume.com - and launched attacks from there. Many of the hacker tools were custom-made, showing some degree of invention, but no samples appeared special to Cornelius and his team.
There is some good news for Iran’s enemies here: it still hasn’t been seen using zero-day vulnerabilities. The use of unpatched, previously undocumented software flaws would prove it had the will and power to threaten the West. But right now the traditional cyber powers, from the US and the UK to China and Russia, continue to have the most sophisticated malicious code and exploit techniques at their disposal.
But that could indicate it’s saving it’s most punishing attacks for some devastating future hit. Given Iran was linked to successful attacks on oil giant Saudi Aramco, where 30,000 PCs were knocked offline, major US banks in the Operation Ababil attacks of 2013 and 2014, and recently named as the perpetrator in campaigns detailed by American security firms FireEye and Crowdstrike, it’s apparent Iran is a major digital force.
“If you look at their increase in sophistication over the last several years, it stands to reason they will become a real player,” Cornelius added. “We’re maybe witnessing only 10 per cent of what this group [Cleaver] is doing.”
