Iranian hackers target global infrastructure sector in Operation Cleaver ‘revenge’ attacks

For more than two years, pro-Iranian hackers have penetrated some of the world’s most sensitive computer networks, including those operated by a US-based airline, auto maker, natural gas producer, defense contractor, and military installation, security researchers from U.S. cyber security firm Cylance have said.

The report from Cylance states that companies in the US, Israel, China, Saudi Arabia, India, Germany, France and the UK have been targeted with attacks aimed at infrastructure sectors such as aerospace, universities, energy firms, hospitals and telecoms. Another report published on Military Times says that even the US  Navy-Marine Corps Intranet was hacked under this operation.


Reuters reported that the campaign comes as Iran seeks revenge for cyber attacks designed to scupper its nuclear ambitions. Iran believes that Russia, China, Israel and the US were all behind the Stuxnet worm which had an debilitating effect on Iran’s nuclear research and crippled Iran’s critical infrastructure’s systems. Operation Cleaver is thought to be a revenge by the hackers who are allegedly backed by Iranian state.

Operation Cleaver

This sustained hacking campaign has been dubbed as “Operation Cleaver” by Cylance.  According to them,  Operation Cleaver has attained the highest levels of system access of targets located in 16 countries spread across the world.

Cylance states that the compromised systems in the Operation Cleaver attacks include Active Directory domain controllers that store employee login credentials, servers running Microsoft Windows and Linux, routers, switches, and virtual private networks. Cylance notes that top  50 victims including 10 U.S. companies, include airports, hospitals, telecommunication providers, chemical companies, and  governments.   As per the Cylance report, the Iranian-backed hackers are reported to have extraordinary control over much of the world’s critical infrastructure.

Cylance researchers wrote:

Perhaps the most bone-chilling evidence we collected in this campaign was the targeting and compromise of transportation networks and systems such as airlines and airports in South Korea, Saudi Arabia and Pakistan. The level of access seemed ubiquitous: Active Directory domains were fully compromised, along with entire Cisco Edge switches, routers, and internal networking infrastructure. Fully compromised VPN credentials meant their entire remote access infrastructure and supply chain was under the control of the Cleaver team, allowing permanent persistence under compromised credentials. They achieved complete access to airport gates and their security control systems, potentially allowing them to spoof gate credentials. They gained access to PayPal and Go Daddy credentials allowing them to make fraudulent purchases and allow unfettered access to the victim’s domains. We were witnessed a shocking amount of access into the deepest parts of these companies and the airports in which they operate.

Chillingly, the remote access infrastructure for airlines and airports in South Korea, Saudi Arabia and Pakistan were among the transportation targets. The group accessed airport gate and security control systems, a “shocking amount of access into the deepest parts of these companies and the airports in which they operate,” the report says.

The hackers dedicated special effort to the Oil and gas sector as well.  Cylance says that the went after nine such companies around the world. In the Middle East, the hacking group targeted oil and gas companies in Kuwait, Qatar and Saudi Arabia, according to the report. The Shamoon attacks in 2012 which crippled RasGas and Saudi Aramco may be a part of this operation says the report.

So far, the Cylance report states, the intrusions have “successfully evaded detection by existing security technologies.” It did not explain how it determined the intrusions were occurring or indicate what data were stolen.