Iran is targeting at least 50 companies and government organizations, including critical infrastructure, a new report said.
While the attacker had targets in quite a few different countries, in the U.S., computers belonging to chemical and energy companies, defense contractors, universities and transportation providers ended up hacked in what security firm Cylance called Operation Cleaver. The report said the Iranian group is the same one that breached the U.S. Navy’s unclassified computer system in September 2013.
Overall, the targets included military, oil and gas, energy and utilities, transportation, airlines, airports, hospitals, telecommunications, technology, education, aerospace, Defense Industrial Base (DIB), chemical companies, and governments, the report said.
Iran, once the victim of the Stuxnet attack on its nuclear enrichment facility in Natanz in 2010, increased its capabilities to the point where the country is a top-tier cyber power, according to the report which is the culmination of a two-year investigation. While the group Cylance followed remained focused on intelligence gathering, the choice of targets raises security fears, the report said. ISSSource reported the Stuxnet attack was a joint U.S.-Israel operation.
Cylance believes Operation Cleaver involves at least 20 hackers and the report outlines specialized tools the attackers used, including a botnet controlled by the hackers to process information or mount attacks.
“If the operation is left to continue unabated, it is only a matter of time before they impact the world’s physical safety,” the report said.
Cylance said it provided the information it collected to the U.S. Federal Bureau of Investigation. The FBI is already looking into Iranian hacking, including the Navy breach.
In one published report, Hamid Babaei, the spokesman for the Iranian mission to the United Nations in New York, denounced the report. “This is a baseless and unfounded allegation fabricated to tarnish the Iranian government image particularly aimed at hampering current nuclear talks,” Babaei said.
Cylance’s 86-page report gives a detailed evaluation of Iran’s cyber-espionage capabilities. The company drew on more than 80,000 files of stolen data and hacking tools Cylance said it obtained from computers used by the hackers since at least 2012.
From that trove, the company’s analysts peeled back what they said was a sweeping spying operation that focused on the U.S. and Iran’s Persian Gulf rivals, as well as on Germany, China, England and Israel.
“Compromised systems include Microsoft Windows web servers running IIS and ColdFusion, Apache with PHP, many variants of Microsoft Windows desktops and servers, and Linux servers. Compromised network infrastructure included Cisco VPNs as well as Cisco switches and routers,” the report said. “Unlike Stuxnet, no exotic exploitations (such as 0-days) were observed.”
“Within our investigation, we had no direct evidence of a successful compromise of specific Industrial Control Systems (ICS) or Supervisory Control and Data Acquisition (SCADA) networks, but Cleaver did exfiltrate extremely sensitive data from many critical infrastructure companies allowing them to directly affect the systems they run. This data could enable them, or affiliated organizations, to target and potentially sabotage ICS and SCADA environments with ease,” the report said.
Universities and their financial aid and housing offices ended up targeted, suggesting the spies were interested in students, perhaps as potential recruits, the report said.
Companies cited in the Cylance report provide a map of intelligence priorities.
In addition, the report said the attackers stole passport photos, employee credentials and data that could end up used to impersonate workers and bypass airport security checkpoints.
Cylance said its researchers took advantage of hackers’ mistakes to access some computers they used to organize their attacks, revealing dozens of targets and a large cache of stolen files. Cylance said the documents it obtained open only a modest window onto the group’s operations and the total number of targets is likely larger.