Iranian hackers compromised airlines, airports, critical infrastructure companies

An Iranian cyberattack campaign dubbed Operation Cleaver compromised over 50 organizations worldwide, researchers from Cylance said

For the past two years, a team of Iranian hackers has compromised computers and networks belonging to over 50 organizations from 16 countries, including airlines, defense contractors, universities, military installations, hospitals, airports, telecommunications firms, government agencies, and energy and gas companies.

The attacks have collectively been dubbed Operation Cleaver after a string found in various malware tools used by the hacker group, which is believed to operate primarily out of Tehran.

"We discovered over 50 victims in our investigation, distributed around the globe," said researchers from IT security firm Cylance in an extensive report released Tuesday. "Ten of these victims are headquartered in the US and include a major airline, a medical university, an energy company specializing in natural gas production, an automobile manufacturer, a large defense contractor, and a major military installation."

Other victims were identified in Canada, China, England, France, Germany, India, Israel, Kuwait, Mexico, Pakistan, Qatar, Saudi Arabia, South Korea, Turkey and the United Arab Emirates.

The attackers used publicly available attack tools and exploits, as well as specialized malware programs they created themselves. Cylance believes the team consists of at least 20 hackers and developers who support Iranian interests and were probably recruited from the country's universities.

"The infrastructure utilized in the campaign is too significant to be a lone individual or a small group," the Cylance researchers said. "We believe this work was sponsored by Iran."

The type of access the hackers obtained inside various organizations and the data they stole varied widely. In the case of universities, they targeted research data, student information, student housing, as well as identifying information, pictures and passports. In the case of critical infrastructure companies, they stole sensitive information that could allow them or affiliated organizations to sabotage industrial control systems and SCADA (supervisory control and data acquisition) environments, the Cylance researchers said.

No evidence of such sabotage by the group exists so far, but Cylance believes this could be the campaign's end goal, as retaliation by Iran for the Stuxnet, Duqu and Flame malware attacks. Stuxnet, which is viewed as the world's first cyberweapon, is believed to have been created by the U.S. and Israel to sabotage Iran's uranium enrichment efforts and set back its nuclear program.

"Perhaps the most bone-chilling evidence we collected in this campaign was the targeting and compromise of transportation networks and systems such as airlines and airports in South Korea, Saudi Arabia and Pakistan," the Cylance researchers said. "The level of access seemed ubiquitous: Active Directory domains were fully compromised, along with entire Cisco Edge switches, routers, and internal networking infrastructure."

"They achieved complete access to airport gates and their security control systems, potentially allowing them to spoof gate credentials," the researchers said. "They gained access to PayPal and Go Daddy credentials allowing them to make fraudulent purchases and allowed unfettered access to the victim's domains. We witnessed a shocking amount of access into the deepest parts of these companies and the airports in which they operate."

The Iranian hacker team has been dubbed Tarh Andishan -- translated into English as "thinkers" or "innovators" -- because some of its operations were traced back to blocks of IP (Internet Protocol) addresses registered to an entity called Tarh Andishan in Tehran.

"The net blocks above have strong associations with state-owned oil and gas companies," the Cylance researchers said. "These companies have current and former employees who are ICS [industrial control system] experts."

The Tarh Andishan hackers used common SQL injection, spear phishing or watering hole attacks to gain initial access to one or more computers of a targeted organization. They then used privilege escalation exploits and other tools to compromise additional systems and move deeper inside its network. However, no zero-day exploits, which are exploits for previously unknown vulnerabilities, were observed.

The group's primary tool is a custom Trojan program called TinyZBot that was created by its developers. However, Cylance has released more than 150 tools, malware samples and indicators of compromise associated with the group's activity in order to help the security industry detect existing and future Operation Cleaver compromises.

"The Operation Cleaver report documents how Iran is the first highly motivated Western world adversary poised to execute serious attacks against global infrastructure, not just targeting the United States, but the critical infrastructure of over a dozen different countries," said Stuart McClure, Cylance's CEO and President, in a blog post. "They aren't looking for credit cards or microchip designs, they are fortifying their hold on dozens of networks that if crippled would affect the lives of billions of people."

Join the CSO newsletter!

Error: Please check your email address.

Tags Cylanceintrusionsecurityphysical securityspywaremalware

More about PayPal

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Lucian Constantin

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts