An Iranian hacking group has compromised critical infrastructure in over a dozen countries, including the United States, according to a new report.
The scale, breadth and duration of the campaign reveal an Iranian cyber sophistication long suspected and occasionally seen, but rarely confirmed.
{mosads}“A new global cyber power has emerged,” according to findings released Tuesday by cybersecurity firm Cylance. “Iran is the new China.”
The hacking group, dubbed Operation Cleaver, has hit at least 50 companies in 15 critical industries spanning 16 countries, Cylance said.
Cylance called it a “significant global surveillance and infiltration campaign,” adding the hackers had not previously been detected and are still working.
In the U.S., Cleaver victimized at least 10 targets, including a large airline, a medical university, a natural gas energy company, an automaker, a big defense contractor and a major military installation.
“We observed the technical capabilities of the Operation Cleaver team rapidly evolve faster than any previously observed Iranian effort,” the report said. “As Iran’s cyber warfare capabilities continue to morph, the probability of an attack that could impact the physical world at a national or global level is rapidly increasing.”
The U.S. has seen a reduction in cyberattacks from Tehran following an interim nuclear deal in 2013 between Iran and several countries. But at home, Iran has been focusing on cyber at an unprecedented level, causing lawmakers and experts to increasingly fear a destructive Iranian attack on U.S. networks.
That’s exactly what Operation Cleaver is setting the table to do, Cylance said.
“Their modus operandi seems clear: blur the line between legitimate engineering companies and state-sponsored cyber hacking teams to establish a foothold in the world’s critical infrastructure.”
Other reports and attacks in recent years have given hints about Tehran’s growing capabilities.
A massive attack in 2012 that wiped out 30,000 computers at oil producer Saudi Aramco had Iranian fingerprints on it. Two reports this year also showed the rapid rise of other Iranian hacking groups, one of which was targeting U.S. officials.
“Iran’s rising expertise, along with their choice of victims, has compelled us to release this report sooner than we would have liked in order to expose Operation Cleaver to the world,” Cylance said.
Operation Cleaver employs a combination of techniques and customization normally used by Chinese and Russian hackers, considered top-tier cyber talents.
Cylance thinks the campaign’s global footprint is meant as a state-sponsored display of force.
Its markings have been found in Europe (England, France, Germany), the Middle East (Israel, Kuwait, Qatar, Pakistan) and Asia (China, South Korea). In addition, Canada and the United States are by far the most heavily targeted countries.
The “most bone-chilling evidence” was Operation Cleaver’s focus on airports and airlines, particularly in Pakistan, Saudi Arabia and South Korea.
“The level of access seemed ubiquitous,” the report said. “They achieved complete access to airport gates and their security control systems, potentially allowing them to spoof gate credentials.”
The South Korea emphasis is also critical, Cylance believes. It could indicate Tehran’s growing cyber partnership with North Korea. Pyongyang was also suspected in the Saudi Aramco attack.
The secretive country made headlines Monday night when the FBI released a confidential warning to businesses about a coordinated, ongoing destructive cyberattack. Cyber experts who reviewed the FBI bulletin told The Hill it seemed like the attack originated in North Korea.
In 2012, Tehran and Pyongyang signed a technology cooperation agreement to work jointly on information technology.
The efforts of Operation Cleaver “could give Iran additional clout in their burgeoning partnership with North Korea.”