Security researchers have uncovered a major new information-stealing Iranian APT campaign targeting 16 countries and multiple industries including military, aerospace, telecoms and defense.
Threat intelligence firm Cylance announced Operation Cleaver this week with the bold tagline: “Iran is the new China.”
The Tehran-based group – with “auxiliary members” in the Netherlands, Canada, the UK and elsewhere – rapidly evolved its capabilities and “successfully leveraged both publicly available and customized tools to attack and compromise targets around the globe.”
The report continued:
“With minimal separation between private companies and the Iranian government, their modus operandi seems clear: blur the line between legitimate engineering companies and state-sponsored cyber hacking teams to establish a foothold in the world’s critical infrastructure.”
The cyber-criminals behind Operation Cleaver were responsible for the hack into classified US Navy computers in 2013 and Cylance argued that if it did not release information on the group now, “it is only a matter of time before the world’s physical safety is impacted by it.”
The vendor has pegged Tehran for the attack for several reasons including the use of Persian hacker names, numerous Iran-registered source netblocks, ASNs and domains, and an attack infrastructure “too significant to be a lone individual or a small group.”
It’s not yet clear what the state-sponsored group’s motives are, but Cylance speculated that it could be an attempt to impact critical infrastructure, to gain “geopolitical leverage”, or even part of a new hacking partnership with North Korea.
Although the group apparently didn’t compromise any targeted SCADA systems, it made off with data which could enable successful attacks in the future, the report said.
Cylance describes as “bone-chilling” and “shocking” the level of access and persistence the group managed in airports in South Korea, Saudi Arabia and Pakistan.
It explained:
“The level of access seemed ubiquitous: Active Directory domains were fully compromised, along with entire Cisco Edge switches, routers, and internal networking infrastructure. Fully compromised VPN credentials meant their entire remote access infrastructure and supply chain was under the control of the Cleaver team, allowing permanent persistence under compromised credentials. They achieved complete access to airport gates and their security control systems, potentially allowing them to spoof gate credentials.”
The modus operandi of the group appears fairly straightforward in APT terms, with a spear phishing attack followed by privilege escalation and pivoting and then covert data exfiltration, all enabled by exploiting known vulnerabilities and using publicly available toolkits.