Iran, which for decades has locked horns with the United States, is emerging as a cyberwarfare power that’s threatening the world, Cylance warned in its Operation Cleaver report, released Tuesday.
Cylance has been tracking one team of roughly 20 hackers called “Tarh Andishan,” which means “thinkers” or “innovators” in Farsi. The group is suspected to be Iranian.
The team “displays an evolved skillset and uses a complex infrastructure to perform attacks of espionage, theft, and the potential destruction of control systems and networks,” Cylance claimed.
Tarh Andishan has attacked various targets around the world, according to Cylance.
The World Is Not Enough
Operation Cleaver has conducted “a significant global surveillance and infiltration campaign” over the past several years, evading detection by existing security technologies, Cylance said.
Tarh Andishan, which is behind Cleaver, is believed to work out of Tehran, although it has auxiliary members in Canada, the UK and the Netherlands.
Only 10 of Tarh Andishan’s 50-some victims worldwide are headquartered in the U.S. They include a major airline, a medical university, an energy company, an automobile manufacturer, a defense contractor and a major military installation.
The group also hit four targets in Israel and five in Pakistan in the education, aerospace, airport, airline, healthcare and technology fields. Its victims include other regions in the Middle East, as well as South Korea, the UK, France, Germany and Central America.
Oil and gas is a particular focal point for the group — it hit nine firms in the industry worldwide.
Tarh Andishan also is focusing strongly on South Korean companies, possibly in support of Iran’s strengthening relationship with North Korea, Cylance reported.
What Was Taken and How
Tarh Andishan’s techniques include SQL injection, Web attacks and phishing. It has leveraged existing public exploits for MS08-067 and Windows privilege escalations.
The group also has used automated worm propagation and customized private tools with functions that include ARP poisoning, encryption, credential dumping, ASP.NET shells, Web backdoors, network interface sniffing and keystroke logging.
Tarh Andishan has compromised Active Directory domain controllers and credentials; Microsoft Windows Web servers running IIS and ColdFusion; Apache with PHP; several variants of Windows desktops and servers; and Linux servers.
The Threat to Critical Infastructure
Operation Cleaver has not yet hit any industrial control systems (ICS) or supervisory control and data acquisition (SCADA) networks, but it has taken “extremely sensitive data from many critical infrastructure companies” that would let the hackers do so, Cylance warned.
Critical infrastructure companies are poorly prepared for the increase in cyberattacks, according to a survey conducted earlier this year by Unisys and the Ponemon Institute.
However, the operating systems for ICS and SCADA “are usually non-Windows based, and the network protocols can be proprietary, making it difficult for hackers,” said Brian Foster, CTO of Damballa.
“Short of a physical war, there is probably no greater threat to our national security and way of life,” he told TechNewsWorld, adding that the U.S. Department of Homeland Security responded to 257 credible threats to U.S. critical infrastructure in 2013.
The Cisco Kid Rides On
Cisco VPNs, switches and routers also were compromised, Cylance reported.
“The compromise of products mentioned appears to be the result of a phishing attack, and the subsequent theft and use of user credentials,” said Cisco spokesperson Nigel Glennie.
“We can confirm that there are no new or related vulnerabilities in Cisco products,” he told TechNewsWorld.
Cisco will update customers if any new information comes to light, Glennie said.
It’s likely that Iran is retaliating for “debilitating and extremely advanced malware campaigns” that have “severely impacted” it since 2009, Cylance suggested. They include Stuxnet, Duqu and Flame, all reportedly launched by the U.S. with the help of Israel.
These campaigns changed Iran’s motivation for hacking from defacing websites of enemies to using cyberattacks as a means of physical destruction, Cylance said.
“The best defense [against attacks] is to not rely on any security control,” Damballa’s Foster said. “Assume your prevention will fail against advanced attacks, be prepared to detect hidden threats, and respond before damage is done.”