Iran Hackers Pose Big Threat to Global Infrastructure: Cylance

Twenty Iranian hackers backed by the Iranian government are believed to be behind a two-year spying operation that has targeted major infrastructure networks in various countries around the world.

That is according to a new report released by security startup Cylance, which calls the alleged Iranian operation Operation Cleaver, after a string found in the malware used by the hackers to infiltrate infrastructure systems. As many as 50 infrastructure companies in 16 countries are believed to have been targeted by the hackers, although Cylance believes there could be more.

The victims belong to a variety of industries, ranging from military, oil and gas, aviation, energy, education, health care, government and chemical industries found in Western countries including the United States, United Kingdom, Canada, France and Germany. The list of targets also includes unexpected names, such as Saudi Arabia, Qatar, Pakistan, the United Arab Emirates and China.

"Perhaps the most bone-chilling evidence we collected in this campaign was the targeting and compromise of transportation networks and systems, such as airlines and airports in South Korea, Saudi Arabia and Pakistan," Cylance says (pdf).

Cylance determined that the hackers were able to acquire various types of information from its victims. For instance, the team was able to hack into the systems of major universities in the U.S., Israel, India and South Korea to steal research, financial aid and housing information as well as identifying data such as student passports and pictures.

The airline attacks in South Korea and Pakistan are said to have brought the Cleaver team a "ubiquitous" level of access, fully compromising the airlines' Active Directory domains, switches, routers and their internal networking infrastructure, as well as giving the hackers full access to their VPN credentials and PayPal and GoDaddy login information, allowing them to make fraudulent purchases and gain access to their domains.

"We witnessed a shocking amount of access into the deepest parts of these companies and the airports in which they operate," Cylance says.

Cylance says no critical infrastructure systems have been directly compromised, but the security firm believes that Operation Cleaver is a state-sponsored campaign with the end goal of damaging industrial control systems and SCADA (Supervisory Control and Data Acquisition) systems to cripple critical infrastructures in the target countries.

While the Cleaver campaign demonstrates an extensive range of attacks, the allegedly state-sponsored operation uses fairly simple hacking techniques that any person who casually reads up on cyber security would be familiar with.

To gain access to the networks, the hackers, dubbed Tarh Andishan because their IP addresses were traced back to a Tehran-based entity of the same name, used a decades-old technique called SQL injection to insert commands into a database and launched spear-phishing campaigns against key corporate individuals. They also developed their own custom tools, particularly the TinyZBot Trojan, which they used to gain backdoor access to infrastructure networks and do various things any Trojan can do, such as log keystrokes, capture screen shots and execute arbitrary code.

Drawing on more than 80,000 files obtained from the hackers through a method called sink holing, Cylance has compiled a wealth of circumstantial evidence pointing to Iran as the culprit. For instance, the hackers take on Persian nicknames, such as Parviz, Alireza, Kaj, Salman Ghazikhani and Bahman Mohebbi. Furthermore, the domains used in the attacks, such as the WinResume.com duplicate EasyResumeCreatorPro.com, and the entire attack infrastructure are hosted by Isfahan-based provider Netafraz.com. Cylance also believes that the campaign is too significant for it to be the work of a single person or a group of persons looking to make a quick buck with stolen information.

Perhaps the biggest reason to believe that Iran is behind the attack is its need for retaliation. The firm says that Cleaver is the country's response to Stuxnet, Duqu and Flame, three malware campaigns widely believed to be the result of a joint U.S. and Israeli effort to disrupt Iran's nuclear plans at a Natanz facility in 2010.

"Iran's cyber sophistication has grown rapidly since the dawn of Stuxnet and they have used hard dollars combined with national pride to help build their cyber army," Cylance speculates. "Few doubt their commitment as a government and nation state to funding and recruiting cyber warriors to infiltrate and damage their enemies. And it has been commonly postulated that almost all activity since 2010 coming out of Iran is associated with retaliation for Stuxnet/Duqu/Flame, which seems natural given the severity of the impact."

Cylance believes the attacks could be the Iranian government's way to gain leverage in nuclear negotiations with some of the world's most powerful countries, including the U.S., Russia and China, scheduled for 2015.

Iran, however, has denied the accusations.

"This is a baseless and unfounded allegation fabricated to tarnish the Iranian government image particularly aimed at hampering current nuclear talks," says Hamid Babaei, spokesperson for the Iranian mission to the United Nations in New York.

The last time Iran was accused of hacking into critical infrastructure systems was in 2013. At the time, a group of hackers, which Cylance believes is the Cleaver team, infiltrated the U.S. Navy's Marine Corps Intranet and stole hundreds of files, although the Navy claimed no important information was obtained. The hack also came amid a significant round of diplomatic talks between President Obama and Iranian President Hassan Rouhani where Iran insisted it will not pursue the development of nuclear weapons.

ⓒ 2024 TECHTIMES.com All rights reserved. Do not reproduce without permission.
Join the Discussion
Real Time Analytics