An analysis by security firm Cylance concludes that a cyber-operation, apparently originating in Iran, infiltrated more than 50 corporate and government networks to prepare for attacks against critical infrastructure.
While many groups linked to nation states have conducted cyber-espionage operations against other countries and their industries, a study finding that Iranian hackers had allegedly infiltrated the networks of global critical infrastructure firms has caused concern among security experts.
Dubbed Operation Cleaver, the widespread attacks have affected educational institutions, airports and airlines, government agencies and a smattering of sensitive industries such as aerospace, computer technology and telecommunications, according to security firm Cylance, which published the report.
The collection of sensitive industries affected by the attacks—when viewed against the backdrop of the destructive 2012 Shamoon attack against Saudi Aramco, which was also thought to have been conducted by Iran—is worrisome, Jon Miller, vice president of strategy for Cylance, told eWEEK
The evidence suggests that Iran is a cyber-power and is willing to use its access to others networks and systems to cause significant damage, he said.
“They are gearing up for a major coordinated distributed attack,” Miller said. “If you take down one company, you are not doing something that will impact everyone, but if you are able to do the type of damage similar to Saudi Aramco across hundreds of critical infrastructure companies worldwide, that would create a life altering event.”
The company connected the attacks to Iran through an aggregation of circumstantial and technical evidence. The attackers used Persian names, many of the domains used by attackers were registered in Iran, and the infrastructure used an Iranian Internet provider. The group, which uses the name Zhoupin, also built their reconnaissance and attack tools to warn the hackers when they were using an address originating in Iran.
The evolution of the operation demonstrates that the group’s attacks techniques had become more sophisticated over time. Originally, the group used techniques similar to Russian and Chinese hackers, such as SQL injection and social-engineering attacks. Eventually, the group created custom private tools that performed numerous reconnaissance and attack functions.
Based on the evidence, Cylance speculated that Iran’s evolving capability is a direct response to other nations’ attacks on the country’s networks and nuclear-processing infrastructure. In 2009, the United States and Israel cooperated to create Stuxnet, an attack that crippled Iran’s uranium refining capability and likely delayed their nuclear ambitions by more than a year. In addition, espionage networks, such as Flame and Duqu, have targeted the communications and sensitive information of a number of nations, including Iran.
“The skills and behavior of the Operation Cleaver teams are consistent with, and in one case surpasses, Iran’s capabilities as we know them today,” the report stated.
The attackers compromised a variety of systems, from Microsoft Windows desktops to Linux Web servers, performed reconnaissance on the compromised networks and exfiltrated sensitive data. Fifty organizations were impacted by the attacks, including 13 airports and airlines, nine oil and gas companies and seven government agencies. The attackers were able to fully compromise at least 15 of the organizations. Cylance collected some 8GB of data and 80,000 files during its investigation.
The company hopes that critical-infrastructure companies will start to take the treat of cyber-attacks more seriously, Miller said.
“We are really hoping that this brings visibility and disturbs the current status quo,” he said. “This shows that there is a next generation of attacker that is appearing on the Internet.”
Cylance warned that its investigation had only revealed a part of the purported Iranian operations. The company did not actually know how extensive the infiltration of other countries’ networks was.