- Wednesday, 03 December 2014 15:03
State-sponsored Iranian hackers have launched cyber attacks on major infrastructure including oil and gas companies in 16 countries, according to a new report.
The regime's campaign of computer warfare has been named Operation Cleaver after the named of some of its malicious software, an 87-page dossier by US group Cylance revealed.
The report said: "As Iran's cyber warfare capabilities continue to morph, the probability of an attack that could impact the physical world at a national or global level is rapidly increasing.
"This team displays an evolved skillset and uses a complex infrastructure to perform attacks of espionage, theft and the potential destruction of control systems and networks."
Over a two-year period, researchers at Cylance claim to have documented at least 50 attacks by Operation Cleaver on energy infrastructure, airports and airlines, as well as governments across 16 countries.
Earlier attacks from Iran have focussed on American and Middle East targets, but now the geographical footprint is wide, the report said, ranging from Canada to South Korea, with a notably heavy concentration in the oil-rich Gulf.
Cylance CEO Stuart McClure added: "Such broad targeting demonstrates to the world that Iran is no longer content to retaliate against the US and Israel alone. They have bigger intentions: to position themselves to impact critical infrastructure globally."
The type of access the hackers obtained inside various organizations and the data they stole varied widely. In the case of universities, they targeted research data, student information, student housing, as well as identifying information, pictures and passports. In the case of critical infrastructure companies, they stole sensitive information that could allow them or affiliated organizations to sabotage industrial control systems and SCADA (supervisory control and data acquisition) environments, the Cylance researchers said.
The report continued: "Perhaps the most bone-chilling evidence we collected in this campaign was the targeting and compromise of transportation networks and systems such as airlines and airports in South Korea, Saudi Arabia and Pakistan.
"The level of access seemed ubiquitous: Active Directory domains were fully compromised, along with entire Cisco Edge switches, routers, and internal networking infrastructure.
"They achieved complete access to airport gates and their security control systems, potentially allowing them to spoof gate credentials.
"They gained access to PayPal and Go Daddy credentials allowing them to make fraudulent purchases and allowed unfettered access to the victim's domains. We witnessed a shocking amount of access into the deepest parts of these companies and the airports in which they operate."
The Iranian hacker team has been dubbed Tarh Andishan - translated into English as 'thinkers' or 'innovators' because some of its operations were traced back to blocks of IP addresses registered to an entity called Tarh Andishan in Tehran.
The report added: "The net blocks above have strong associations with state-owned oil and gas companies. These companies have current and former employees who are industrial control system experts."
The Tarh Andishan hackers used common SQL injection, spear phishing or watering hole attacks to gain initial access to one or more computers of a targeted organization. They then used privilege escalation exploits and other tools to compromise additional systems and move deeper inside its network. However, no zero-day exploits, which are exploits for previously unknown vulnerabilities, were observed, Cylance said.