Iranian CLEAVER hacks through airport security, Cisco boxen
Plausibly-deniable Iranians suspected of Stuxnet reprisal attacks
An alleged Iranian hacking group whose existence is denied by the state is turning up the heat on its two-year global campaign to pop critical infrastructure systems, Cylance researchers say.
The group was tied to Iran by the local infrastructure it was alleged to use in the attacks and appeared to have formed as a response to the Stuxnet worm which tore through the state's Natanz uranium enrichment facility.
Some 50 targets and compromised victims were uncovered including 10 US organisations and agencies such as the Navy Marine Corps Intranet; resource sector utilities; telcos; research facilities; airports and defence contractors.
Security gates at airports were hacked potentially allowing attackers to traffick passengers using a "shocking amount" of access gained to the "deepest" sections of victim networks.
Iran's US mission official Hamid Babei speaking to Reuters dubbed the report "baseless and unfounded" aimed to tarnish the government and hamper nuclear talks.
The denial clashed with a statement from Cylance boss Stuart McClure who said the Operation Cleaver report named after the group was free of "exaggeration and embellishment" and contained only verifiable facts.
"After tracking hackers both personally and professionally for more than 26 years, there is no doubt in my mind that the release of the information contained in the Operation Cleaver report is vital to the security of the world’s critical infrastructure," McClure said.
The evidence did not find manipulation of critical infrastructure assets including SCADA systems but "bone chilling" evidence suggested the group did steal enough data to do so.
"Perhaps the most bone-chilling evidence we collected in this campaign was the targeting and compromise of transportation networks and systems such as airlines and airports in South Korea, Saudi Arabia and Pakistan," the researchers wrote.
"They achieved complete access to airport gates and their security control systems, potentially allowing them to spoof gate credentials."
PayPal and Go Daddy credentials were stolen while Active Directory domains and "entire" Cisco Edge switches, routers, and internal networking infrastructure were compromised.
"Fully compromised VPN credentials meant their entire remote access infrastructure and supply chain was under the control of the Cleaver team, allowing permanent persistence under compromised credentials," researchers wrote.
The known capabilities of Cleaver and destruction it wrought was only a fraction of what it likely possessed.
The US was the largest target followed by entities in South Korea, and Pakistan. The UK was conspicuously absent as was Australia.
Cylance researchers said Cleaver, a name seemingly chosen by the group, evolved faster than any previous Iranian and masqueraded as a legitimate engineering company Tarh Andishan in a hallmark of state-sponsorship.
Further Iranian infrastructure was used in the attacks including netblocks and autonomous system numbers, and hosts.
Its rapid skills advancement and the risk that posed to organisations forced Cylance to release the report earlier than it planned, hindering its research effort, it said.
The attackers thought to be recruited from known Iranian hacking groups and local universities used custom tools but Cylance did not detect the use of zero day vulnerabilities, relying on a lack of patching and phishing to pop victims.
Intelligence was gleaned in part from some 8GB of Cleaver data including 80,000 stolen files, hack tools and "highly sensitive" reconnaissance information was purloined from sink holed command and control servers where attacker data was effectively redirected into the hands of researchers.
Iran flexed its offensive security muscle after Stuxnet with the popping of Comodo, DigiNotar, the destruction of RasGas and Saudi Aramco endpoints under the Shamoon campaign, and subsequent campaigns including alleged continuous attacks against Israel.
The report was stripped of attackers' personal information including any 'party photos' uploaded to Facebook and included analysis on possible motivations for targeting the critical infrastructure. ®