Crossroads Blog | Institute National Security and Counterterrorism

critical infrastructure, cyber attack, Cylance, hacking, Iran, Operation Cleaver

Operation Cleaver Cyber Attacks: Is Iran the New China?

“If Operation Cleaver doesn’t get the world to wake up to what is happening in the silent world of cyber, then perhaps nothing will.” – Cylance Report on Operation Cleaver.

According to researchers at Cylance, a security startup, a vast number of western organizations have been breached by hackers operating out of Iran.  Cylance has designated this group of hackers: Operation Cleaver.  Cylance has been tracking this group for over two years.  Cylance recently released a report on the group earlier than they intended.  As for the rationale behind the early release, the company stated:

Iran’s rising expertise, along with their choice of victims, has compelled us to release this report sooner than we would have liked in order to expose Operation Cleaver to the world.

Airports and airlines are amongst the list of targets and victims of Operation Cleaver, which according to the report is “[p]erhaps the most bone-chilling evidence we collected in this campaign.”  According to the report, both physical and cyber assets, as well as logistics information, were compromised at major airline operators, airports, and transportation companies.

[T]heir entire remote access infrastructure and supply chain was under the control of the Cleaver team. . . . They achieved complete access to airport gates and their security control systems. . . . There is a possibility that this campaign could affect airline passenger safety.

Airports and/or airlines were targeted and/or victimized in the following countries: United States, Saudi Arabia, South Korea, United Arab Emirates, Qatar, and Pakistan.  In addition, their targets amongst 16 countries include military, oil and gas, energy and utilities, transportation, hospitals, telecommunications, technology, education, aerospace, Defense Industrial Base (DIB), chemical companies, and governments.

Who is to blame? The Cylance report points the finger at Iran.

“Iran is the New China”

According to the report, Iran is extremely active in the world of hacking.  While Cylance admits in the report that attribution is difficult, they state that the infrastructure utilized in the Operation Cleaver campaign is too significant to be a lone individual or a small group.  Additionally, some crucial details led Cylance to link the Cleaver attacks specifically to Iran.  Infrastructure used by the attackers was registered in Iran to a corporate entity called Tarh Andishan and was hosted by Netafraz.com, an Iranian provider out of Isfahan.  While another nation could set up a decoy operation that points to Iran, the list of targets support the theory of Iranian backing.  The report also warns of Iran’s unique advantage in backing this kind of attack:

With minimal separation between private companies and the Iranian government, their modus operandi seems clear: blur the line between legitimate engineering companies and state-sponsored cyber hacking teams to establish a foothold in the world’s critical infrastructure.

The End Goal

While the Cylance report admits that the end goal of Operation Cleaver is not known at this time, the report goes on to state that Operation Cleaver appears to have big intentions to position themselves to impact critical infrastructure globally, relying on the choice of targets.  The report also points to the future 2015 Iranian nuclear discussions as a potential motivating factor, suggesting that the attacks may be tied to negotiating power when discussing a pact with the nuclear superpowers of United States, Britain, France, Germany, Russia and China.

Vulnerabilities in Critical Infrastructure Organizations

According to the researchers at Cylance, many critical infrastructure organizations are unable to secure their complex environments from modern attacks because they are relying on “status quo” security measures for fear that if they implement changes they will find problems they have no idea how to prevent.  In the report‘s conclusion, Cylance laid out their mission in releasing this report:

We hope that by exposing the Operation Cleaver team to the world, current global critical infrastructure victims can be notified, and prevent future victimization from suffering the consequences of “status quo” security. . . . If Operation Cleaver doesn’t get the world to wake up to what is happening in the silent world of cyber, then perhaps nothing will.

More on Cylance:

The founder of Cylance, Stuart McClure, is the former Global CTO of McAfee and the lead author of the international best-selling book Hacking Exposed.  The Cylance research team lives by the mantra “Think Evil, Do Good,” a mantra displayed in hex string on the Operation Cleaver logo.  Cylance states that what separates them from other security companies is their ability to “think like an attacker” and utilize innovative detection methods that move beyond the “status quo” of current security models, particularly through their unique algorithmic approach. (However, other companies have turned to similar algorithmic approaches, such as the Israel start-up ThetaRay mentioned in this earlier Crossroads RoundUp).  Cylance’s algorithmic approach to threat detection is based on mathematics, machine learning, and data science.

Click Here for the full Cylance Report on Operation Cleaver.

For other coverage on the report: Reuters, New York Times, SC Magazine, Forbes.

 

 

Leave a Reply

Bitnami