A hacker group out of Iran has been steadily amassing information from infrastructure-related companies, likely in preparation for a massive attack, according to researchers at Cylance, who have been tracking the group for more than two years.
To date the hackers, which consists of individual contractors and a team disguised as a Tehran-based construction engineering company, has infiltrated more than 50 organizations in 15 industries in 16 countries. Although Cylance noted that the hackers are still in the information-gathering phase.
“They're amassing more information in more companies,” Jon Miller, vice president of strategy at Cylance, told SCMagazine.com. “It looks like they're gearing up for a large-scale, international attack.”
The group, which Cylance calls Operation Cleaver because of the prevalence of the word in the group's custom software, uses rough custom and publicly available tools to glean highly sensitive and confidential information from victims and compromise their networks through SQL Injection, spear phishing, water holing attacks and other methods. All of the targets have been companies and facilities related to critical infrastructure.
For instance, among the targets is a company specializing in natural gas production, unclassified computers in the San Diego Navy Marine Corps Intranet and airlines and airports in Saudi Arabia, Pakistan and South Korea.
The group also took aim at entities in Canada, China, England, France, Germany, India, Israel, the U.S. and other countries.
Cylance “came across the group,” after it was called in to do incident response for one of its customers. Once the security firm understood what Operation Cleaver was doing and got their tools, it was “able to take control” and examine the group's malware.
While Cylance researchers weren't surprised to discover Operation Cleaver's activities since “Iran has been hacking for quite some time,” they were taken aback by how advanced the group's methods were.
“What surprised us is how sophisticated their attacks are becoming,” Miller said. “Two years ago they were not a threat but given the actual companies they're attacking today, they're gearing up for a major attack.”
In "Operation Cleaver," a detailed report on its findings, Cylance also included indicators so that other organizations outside its purview can detect and ward off attacks.
“We disclosed the indicators,” said Miller, so companies now “have the hashes to find Iranian malware.”
Miller said that Cylance is “being a little light on details” of how it's monitoring Operation Cleaver so can continue to do so undetected.
“They're still hacking today,” Miller said. “It's an ongoing campaign.”
To protect themselves, Miller suggested companies use the indicators that Cylance provided. Noting that the “adaptive nature of these attacks” make them hard to keep up with, he urged organizations to “get ahead of attacks” by keeping their security posture current.