Cylance unveils details of Iran-based hacking in ‘Operation Cleaver’ report

The list of sophisticated cyber espionage attacks continues to grow. Cylance released a report about cyber espionage activity out of Iran, which it has dubbed “Operation Cleaver”, and from what Cylance has discovered it seems there is good reason to be concerned.

Cylance is a relatively new security vendor that relies on math-based algorithms for threat detection rather than the traditional model of creating signature files for known threats. Founder and CEO Stuart McClure has a long history in cyber security, and conceived Cylance because he witnessed firsthand what’s wrong with the existing security model, and decided there must be a better way than a reactionary stalemate.

Cylance has actually been observing the attackers—a primary team named “Tarh Andishan” that operates under the guise of a construction engineering firm based out of Tehran—for two years. Cylance dubbed it “Operation Cleaver” because the word “cleaver” is used repeatedly by the group in custom tools and cyber hacks.

“Iran’s skills are advancing beyond their past history of website defacement, distributed denial of service, and similar basic techniques. The attackers used a variety of approaches, both publicly available and proprietary to the group,” explained Cylance in a Q&A document it shared with me. “They primarily used SQL injection, spear phishing and water holing. They also used a proprietary botnet infrastructure called tiny Zbot.”

The reason Cylance is showing its hand now, and revealing what it knows about Operation Cleaver is that Cylance researchers are seeing a rapid evolution of skills, and escalation of tactics from the group. What began as simple intelligence gathering against targets has led to the complete compromise of systems and networks—including traffic control and other critical infrastructure systems that could put lives in danger.

“The most troubling was compromise of transportation networks and systems such as airlines and airports in South Korea, Saudi Arabia and Pakistan,” stated Cylance. “We also uncovered swaths of sensitive and specific identifiable information: employee data such as schedule details, VPN credentials, identification photos, housing details, timecards, passports, and Social Security cards. We also found information related to facility security, including video network diagrams, blueprints, and security codes.”

Cylance says that the attacks were aimed at a variety of nations, including Pakistan, South Korea, the United Arab Emirates, Kuwait, Qatar, as well as the United States and various European countries. The targets include airlines, airports, oil & gas, manufacturing, technology, and government agencies and universities.

While Cylance is able to trace the attacks back to Tehran, it is cautious not to jump to the conclusion that the attacks are backed or sanctioned by the Iranian government, or are in any way related to any specific terrorist group, or terror threat. Essentially, the efforts of Cylance are focused on detecting and identifying the attacks, and determining the impact of those attacks.

Cylance does work hand-in-hand with national security and law enforcement agencies when the situation dictates, but it leaves the political and national defense implications to be determined by those entities tasked with that responsibility.

Operation Cleaver is a prime example of how the traditional reactionary model of security is inadequate. “We are facing an inflection point in technology, and for far too long the industry approach to cybersecurity has been to play detect and respond to hackers. We really need a paradigm shift in the industry, and that’s what we’re doing at Cylance, as evidenced by this discovery. Through math and machine learning our product was able to uncover the previously undiscovered malware that was being used in these attacks. We can never know exactly what the next attack will look like, or where it will come from, but we can build a smarter security product that intelligently analyzes potential threats and prevents them from ever executing.”

Stuart McClure stresses in a quote on the Cylance website, “Hopefully the Operation Cleaver report serves as a wakeup call for global critical infrastructure providers.”