Report exposes Operation Cleaver Iran's global hacking campaign
Since at least 2012, Iranian actors have directly attacked, established persistence in, and extracted highly sensitive materials from the networks of government agencies and major critical infrastructure companies in the following countries: Canada, China, England, France, Germany, India, Israel, Kuwait, Mexico, Pakistan, Qatar, Saudi Arabia, South Korea, Turkey, United Arab Emirates, and the United States.
Operation Cleaver has, over the past several years, conducted a significant global surveillance and infiltration campaign. To date it has successfully evaded detection by existing security technologies. The group is believed to work from Tehran, Iran, although auxiliary team
members were identified in other locations including the Netherlands, Canada, and the UK. The group successfully leveraged both publicly available, and customized tools to attack and compromise targets around the globe. The targets include military, oil and gas, energy and utilities, transportation, airlines, airports, hospitals, telecommunications, technology, education, aerospace, Defense Industrial Base (DIB), chemical companies, and governments.
During intense intelligence gathering over the last 24 months, we observed the technical capabilities of the Operation Cleaver team rapidly evolve faster than any previously observed Iranian effort. As Irans cyber warfare capabilities continue to morph, the probability of an attack that could impact the physical world at a national or global level is rapidly increasing. Their capabilities have advanced beyond simple website defacements, Distributed Denial of Service (DDoS) attacks, and Hacking Exposed style techniques.
With minimal separation between private companies and the Iranian government, their modus operandi seems clear: blur the line between legitimate engineering companies and state-sponsored cyber hacking teams to establish a foothold in the worlds critical infrastructure. Irans rising expertise, along with their choice of victims, has compelled us to release this report sooner than we would have liked in order to expose Operation Cleaver to the world. The evidence and indicators of compromise we provide in this report will allow potentially unaware victims to detect and eliminate Cleavers incursions into their networks.
http://www.cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf