Iranian state-sponsored hackers have been singled out for attacks on critical infrastructure worldwide, including 10 targets in the United States.
Security firm Cylance today released an 86-page report on Operation Cleaver that lays out Iran’s hacking capabilities and motivations to attack global interests beyond the U.S. and Israel, long thought to be behind Stuxnet, and espionage campaigns using Flame and Duqu malware.
“They have bigger intentions: to position themselves to impact critical infrastructure globally,” the report said. “We believe that if the operation is left to continue unabated, it is only a matter of time before the world’s physical safety is impacted by it. While the disclosure of this information will be a detriment to our ability to track the activity of this group, it will allow the security industry as a whole to defend against this threat.”
A Reuters article quoted a senior Iranian official who dismissed the report.
“This is a baseless and unfounded allegation fabricated to tarnish the Iranian government image, particularly aimed at hampering current nuclear talks,” said Hamid Babaei, spokesman for Iran’s mission to the United Nations.
Attribution is always a challenge, in particular with these APT-style attacks where persistence and the ability to elude detection go hand-in-hand. Cylance, however, it was able to trace a number of domains used in the various attacks that were registered to an Iranian corporation Tarh Andishan. Also, source netblocks and ASNs are registered in Iran. The infrastructure supporting the attacks is hosted by Netafraz, an Iranian hosting provider, among other bits of evidence laid out in the report.
Cylance also identified one military target in the U.S. by name, the Navy Marine Corps Intranet (NMCI), in addition to networks in industries such as energy, utilities, oil, gas, and chemical. Major airlines, airports and other transportation companies were also targeted, as were telecommunications operators, defense companies, technology providers, government agencies and educational institutions storing vital research.
“During intense intelligence gathering over the last 24 months, we observed the technical capabilities of the Operation Cleaver team rapidly evolve faster than any previously observed Iranian effort. As Iran’s cyber warfare capabilities continue to morph, the probability of an attack that could impact the physical world at a national or global level is rapidly increasing,” the Cylance report said.
Cylance said that it has observed many of the same hacking techniques and exploits used by other APT outfits traced to China and Russia, as well as some Eastern European cybercrime organizations. Operation Cleaver uses a mix of off-the-shelf SQL injection attacks and exploits for long-standing Microsoft vulnerabilities such as MS08-067 that allow the attackers to gain a foothold inside a corporate network and move about at will.
Customized tools have also been discovered that facilitate credential theft, the use of shell command lines, backdoors, system and process enumeration, network sniffing, keylogging ad more. Cylance says it has 8 gigabytes of data and more than 80,000 files exfiltrated from victims, as well as hacker tools, victim logs and reconnaissance data. It has also been able to sinkhole command and control servers to watch attacks in progress.
The report also contains more than 150 indicators of compromise. In most cases, once Operation Cleaver has infiltrated an organization, it has deep access via Active Directory domain controllers and credentials and compromised VPN credentials. In most cases, they’re exploiting vulnerabilities in Windows, Adobe products, Apache, and Cisco VPNs, switches and routers. Its most successful campaigns via these avenues, Cylance said, have been against South Korean transportation networks, including airports and airlines. To date no zero day exploits have been found, Cylance said.
Cylance’s report also cautions that Operation Cleaver could have a special interest in airline and SCADA networks present in most critical industries. Overall, the campaign could be retaliation for Stuxnet, Duqu and Flame, Cylance said.
“Within our investigation, we had no direct evidence of a successful compromise of specific Industrial Control Systems (ICS) or Supervisory Control and Data Acquisition (SCADA) networks, but Cleaver did exfiltrate extremely sensitive data from many critical infrastructure companies allowing them to directly affect the systems they run,” Cylance said in its report. “This data could enable them, or affiliated organizations, to target and potentially sabotage ICS and SCADA environments with ease.”