A hacker group out of Iran has been steadily amassing information from infrastructure-related companies, likely in preparation for a massive attack, according to researchers at Cylance, who have been tracking the group for more than two years.
To date the hackers, which consists of individual contractors and a team disguised as a Tehran-based construction engineering company, has infiltrated more than 50 organizations in 15 industries in 16 countries. Although Cylance noted that the hackers are still in the information-gathering phase.
“They're amassing more information in more companies,” Jon Miller, vice president of strategy at Cylance, told SCMagazine.com. “It looks like they're gearing up for a large-scale, international attack.”
The group, which Cylance calls Operation Cleaver because of the prevalence of the word in the group's custom software, uses rough custom and publicly available tools to glean highly sensitive and confidential information from victims and compromise their networks through SQL Injection, spear phishing, water holing attacks and other methods. All of the targets have been companies and facilities related to critical infrastructure.
For instance, among the targets is a company specializing in natural gas production, unclassified computers in the San Diego Navy Marine Corps Intranet and airlines and airports in Saudi Arabia, Pakistan and South Korea.
The group also took aim at entities in Canada, China, England, France, Germany, India, Israel, the U.S. and other countries.
Cylance “came across the group,” after it was called in to do incident response for one of its customers. Once the security firm understood what Operation Cleaver was doing and got their tools, it was “able to take control” and examine the group's malware.
While Cylance researchers weren't surprised to discover Operation Cleaver's activities since “Iran has been hacking for quite some time,” they were taken aback by how advanced the group's methods were.