A hacker group out of Iran has been steadily amassing information from infrastructure-related companies, likely in preparation for a massive attack, according to researchers at Cylance in the US, which has been tracking the group for more than two years.
To date the hackers, which consists of individual contractors and a team disguised as a Tehran-based construction engineering company, has infiltrated more than 50 organisations in 15 industries in 16 countries. Cylance noted that the hackers are still in the information-gathering phase.
“They're amassing more information in more companies,” Jon Miller, vice president of strategy at Cylance, told SCMagazine.com. “It looks like they're gearing up for a large-scale, international attack.”
The group, which Cylance calls Operation Cleaver because of the prevalence of the word in the group's custom software, uses rough custom and publicly available tools to glean highly sensitive and confidential information from victims and compromise their networks through SQL Injection, spear phishing, water hole attacks and other methods. All of the targets have been companies and facilities related to critical infrastructure.
For instance, among the targets is a company specialising in natural gas production, unclassified computers in the San Diego Navy Marine Corps Intranet and airlines and airports in Saudi Arabia, Pakistan and South Korea.
The group has also targeted entities in Canada, China, England, France, Germany, India, Israel, the US and other countries.
Cylance “came across the group,” after it was called in to do incident response for one of its customers. Once the security firm understood what Operation Cleaver was doing and got its tools, it was “able to take control” and examine the group's malware.
While Cylance researchers weren't surprised to discover Operation Cleaver's activities since “Iran has been hacking for quite some time,” they were taken aback by how advanced the group's methods were.
“What surprised us is how sophisticated their attacks are becoming,” Miller said. “Two years ago they were not a threat but given the actual companies they're attacking today, they're gearing up for a major attack.”
In "Operation Cleaver," a detailed report on its findings, Cylance also included indicators so that other organisations outside its purview can detect and ward off attacks.
“We disclosed the indicators,” said Miller, so companies now “have the hashes to find Iranian malware.”
Miller said that Cylance is “being a little light on details” of how it is monitoring Operation Cleaver so it can continue to do so undetected.
“They're still hacking today,” Miller said. “It's an ongoing campaign.”
To protect themselves, Miller suggested companies use the indicators that Cylance provided. Noting that the “adaptive nature of these attacks” make them hard to keep up with, he urged organisations to “get ahead of attacks” by keeping their security posture current.
The hack has echoes of the 'elaborate and nuanced three-year cyber espionage campaign carried out by Iranian hackers revealed by US security company, iSight ' earlier this year.
*First published in SC Magazine.com in the US.