A team of Iran-backed hackers is targeting infrastructure around the world and already has victimized 10 companies in the US, according to cyber-security company Cylance.
These include a major airline, a medical university, an energy company specializing in natural gas production, an automobile manufacturer, a large defense contractor, and a major military installation, said the Boston-based firm in a report that didn’t identify the companies by name.
After tracking the team it dubbed Operation Cleaver for more than two years, Cylance said it concluded that “the government of Iran, and particularly the Islamic Revolutionary Guard Corps, is backing numerous groups and front entities to attack the world’s critical infrastructure.”
It cited as part of its evidence the team’s “frequent spin-up and take-down of large IP blocks inside the AFRANET IP space inside Iran,” as well as the country’s investment in cyber warfare.
The attacks are part of more than 50 worldwide that have focused on the oil and gas and transportation industries, as well as universities. They involve espionage, theft and destruction of control systems and networks.
“Perhaps the most bone-chilling evidence we collected in this campaign was the targeting and compromise of transportation networks and systems such as airlines and airports in South Korea, Saudi Arabia and Pakistan,” Cylance said.
The company said ongoing nuclear negotiations with the US, Britain, France, Germany, Russia and China, as well as Iran’s 2012 technology cooperation agreement with North Korea, may have played a role in recent attacks. But the original impetus lies with the malware attacks against Iran since 2009, especially Stuxnet, Cylance said.
“A major retaliation came in the form of 2012’s Shamoon campaign, which impacted RasGas and Saudi Aramco” and cost the companies hundreds of thousands of hours in downtime, according to Cylance. “We see the same motivation and intent here in Operation Cleaver: establishing a beachhead for cyber sabotage.”
The team is believed to include about 20 hackers and developers in Tehran, with “auxiliary” members in locations such as the Netherlands, Canada, and the UK, Cylance said.
Cylance leverages algorithmic risk modeling to protect critical infrastructure and key resources, industrial control systems, supervisory control and data acquisition systems, building management systems, embedded systems and fixed-function systems, the company said.