The firm says these attacks — dubbed Operation Cleaver — showcase a dangerous leap forward in Tehran's cyber skills as it seeks to retaliate against Western cyber attacks on its nuclear program. The goal of these attacks was apparently infiltration and information gathering, with motives beyond intellectual property theft.
"After tracking the Operation Cleaver team for over two years, we're led to the inexorable conclusion: The government of Iran, and particularly the Islamic Revolutionary Guard Corps (IRGC), is backing numerous groups and front entities to attack the world's critical infrastructure," Cylance said in its 86-page report, released Tuesday.
"As Iran's cyber warfare capabilities continue to morph, the probability of an attack that could impact the physical world at a national or global level is rapidly increasing," the report says. "Their capabilities have advanced beyond simple website defacements, Distributed Denial of Service (DDoS) attacks, and Hacking Exposed style techniques."
A Tehran-based group targeted more than 50 victims across 16 countries, over two years, according to the report. The group is the same one responsible for breaching the unclassified Navy-Marine Corps Intranet, an attack uncovered in 2013, Cylance says.
At the time, the Wall Street Journal reported that US defense officials were surprised at the skills of the Iranian hackers, particularly their ability to penetrate the network and set up remote surveillance from within it. The Navy underwent a weekslong effort to rid the system of invasive, hidden spyware.
Among the companies targeted in Operation Cleaver, 10 were US-based. They included a major airline, a natural gas production firm, an automaker and a large defense contractor, according to Cylance.
Chillingly, the remote access infrastructure for airlines and airports in South Korea, Saudi Arabia and Pakistan were among the transportation targets. The group accessed airport gate and security control systems, a "shocking amount of access into the deepest parts of these companies and the airports in which they operate," the report says.
Oil and gas was a particular focal point for the hackers, who went after nine such companies around the world. In the Middle East, the hacking group targeted oil and gas companies in Kuwait, Qatar and Saudi Arabia, according to the report. Following the Shamoon attacks in 2012, which temporarily crippled RasGas and Saudi Aramco, and other such attacks, industry in the region is investing more in cyber security.
"These are strategically vital industries for the region and the world," said Adam Ereli, a board member of the Bilateral US Arab Chamber of Commerce and former US ambassador to Bahrain. "Its time to take action, and there are a lot more activities there."
At universities in the US, India, Israel and South Korea, the hackers sought research efforts, student information, student housing and financial aid data. They sought pictures, passports and specific identifying information.
"Such broad targeting demonstrates to the world that Iran is no longer content to retaliate against the US and Israel alone," the report states. "They have bigger intentions: to position themselves to impact critical infrastructure globally."
Cylance says it discovered these coordinated attacks when it was contracted to investigate multiple security breaches across a variety of organizations. It went public, the report says, because, "our visibility into this campaign represents only a fraction of Operation Cleaver's full scope. We believe that if the operation is left to continue unabated, it is only a matter of time before the world's physical safety is impacted by it."
The hacking group is thought to have 20 members, most of them English speakers. The group's techniques overlap with those used by the Iranian cyber Army, Ashiyane and the Syrian Electronic Army, and the "Cleaver" team is thought to be a mix of existing team members and recruits from Iranian universities. ■
Awad Mustafa contributed to this report.