Pages

Thursday, December 04, 2014

Major Iranian cyberhacking initiative revealed - and they are very good (update)

Security company Cylance released a paper detailing "Operation Cleaver," a major, worldwide Iranian computer hacking operation. And although the scope of their discovery is massive, they believe that it is only the tip of the iceberg.
Since at least 2012, Iranian actors have directly attacked, established persistence in, and extracted highly sensitive materials from the networks of government agencies and major critical infrastructure companies in the following countries:

Canada, China, England, France, Germany, India, Israel, Kuwait, Mexico, Pakistan, Qatar, Saudi Arabia, South Korea, Turkey, United Arab Emirates, and the United States.

Iran is the new China. [in cyber warfare - EoZ]

Operation Cleaver has, over the past several years, conducted a significant global surveillance and infiltration campaign. To date it has successfully evaded detection by existing security technologies. The group is believed to work from Tehran, Iran, although auxiliary team members were identified in other locations including the Netherlands, Canada, and the UK. The group successfully leveraged both publicly available, and customized tools to attack and compromise targets around the globe. The targets include military, oil and gas, energy and utilities, transportation, airlines, airports, hospitals, telecommunications, technology, education, aerospace, Defense Industrial Base (DIB), chemical companies, and governments.

During intense intelligence gathering over the last 24 months, we observed the technical capabilities of the Operation Cleaver team rapidly evolve faster than any previously observed Iranian effort. As Iran’s cyber warfare capabilities continue to morph,2 the probability of an attack that could impact the physical world at a national or global level is rapidly increasing.

 Their capabilities have advanced beyond simple website defacements, Distributed Denial of Service (DDoS) attacks, and Hacking Exposed style techniques.

With minimal separation between private companies and the Iranian government, their modus operandi seems clear: blur the line between legitimate engineering companies and state sponsored cyber hacking teams to establish a foothold in the world’s critical infrastructure.
The targets included "Networks and systems targeted in critical industries like energy and utilities, oil and gas, and chemical companies; Assets (both cyber and physical) and logistics information were compromised at major airline operators, airports, and transportation companies; Various global telecommunications, technology, healthcare, aerospace, and defense companies; Confidential critical infrastructure documents were harvested from major educational institutions around the world."

Here are the specific industry targets for each country. Not surprisingly, the US is the major target of Iran's cyber-war.


And here's the scariest part - of what we know:

Perhaps the most bone-chilling evidence we collected in this campaign was the targeting and compromise of transportation networks and systems such as airlines and airports in South Korea, Saudi Arabia and Pakistan. The level of access seemed ubiquitous...Fully compromised VPN credentials meant their entire remote access infrastructure and supply chain was under the control of the Cleaver team, allowing permanent persistence under compromised credentials. They achieved complete access to airport gates and their security control systems, potentially allowing them to spoof gate credentials. They gained access to PayPal and Go Daddy credentials allowing them to make fraudulent purchases and allowed unfettered access to the victim’s domains. We were witnessed a shocking amount of access into the deepest parts of these companies and the airports in which they operate.
Could the airport information be merely to enhance espionage - or is it meant to support terror attacks?

What is crystal clear is that Iran is already at war with much of the world. The question is whether the world is prepared to react appropriately.

UPDATE: Bloomberg News suggests that one airport terror attack may have already used tis stolen data:
They also accessed details about computer systems at major Middle Eastern airports, including Pakistan’s Jinnah International Airport in Karachi, McClure said. Armed Taliban militants disguised as security staff workers stormed the airport in June, killing more than 30 people. The report doesn’t link that to the hack but McClure said some information stolen was related to a gate where the attack began.
Does anyone doubt that Iran would work together with major terror groups when it is convenient for them?

(h/t David G)