Operation Cleaver

Last updated

Operation Cleaver, as labelled in a report by American firm Cylance Inc. in late 2014, was a cyberwarfare covert operation targeting critical infrastructure organizations worldwide, allegedly planned and executed by Iran.

Contents

Cylance's report was later tacitly acknowledged in a confidential report by Federal Bureau of Investigation (FBI), though Iranian officials denied involvement in the operation. [1]

Cylance report

Logo designed by Cylance Operation Cleaver.png
Logo designed by Cylance

In December 2014, California-based cyber security firm Cylance Inc. published results of a 2-year investigation, [2] an 86-page technical report, indicating that an operation, called "Operation Cleaver", has targeted the military, oil and gas, energy and utilities, transportation, airlines, airports, hospitals and aerospace industries organizations worldwide. [3]

The title "Operation Cleaver" alludes to frequent uses of the word "cleaver" in the malware's coding. [4]

According to the report, over 50 entities in 16 countries have been hit by the campaign, based in the United States, Israel, China, Saudi Arabia, India, Germany, France and England among others. [5] Cylance's research does not name individual companies, but Reuters reports citing "a person familiar with the research" Navy Marine Corps Intranet, Calpine, Saudi Aramco, Pemex, Qatar Airlines and Korean Air were among the specific targets. [5]

Stuart McClure, Cylance founder and CEO believes that the hackers are sponsored by Iran and have ties to Islamic Revolutionary Guard Corps. [2]

FBI report

According to Reuters , the Federal Bureau of Investigation has filed a confidential "Flash" report, providing technical details about malicious software and techniques used in the attacks. The technical document said the hackers typically launch their attacks from two IP addresses that are in Iran, but does not attribute the attacks to the Iranian government. [5] FBI warned businesses to stay vigilant and to report any suspicious activity spotted on the companies' computer systems. [3]

Iran's reaction

Iran has officially denied involvement in the hacking campaign. "This is a baseless and unfounded allegation fabricated to tarnish the Iranian government image, particularly aimed at hampering current nuclear talks", said Hamid Babaei, spokesman for Permanent mission of Islamic Republic of Iran to the United Nations. [5]

See also

Related Research Articles

<span class="mw-page-title-main">Cyberwarfare</span> Use of digital attacks against a state

Cyberwarfare is the use of cyber attacks against an enemy state, causing comparable harm to actual warfare and/or disrupting vital computer systems. Some intended outcomes could be espionage, sabotage, propaganda, manipulation or economic warfare.

Cyberwarfare by Russia includes denial of service attacks, hacker attacks, dissemination of disinformation and propaganda, participation of state-sponsored teams in political blogs, internet surveillance using SORM technology, persecution of cyber-dissidents and other active measures. According to investigative journalist Andrei Soldatov, some of these activities were coordinated by the Russian signals intelligence, which was part of the FSB and formerly a part of the 16th KGB department. An analysis by the Defense Intelligence Agency in 2017 outlines Russia's view of "Information Countermeasures" or IPb as "strategically decisive and critically important to control its domestic populace and influence adversary states", dividing 'Information Countermeasures' into two categories of "Informational-Technical" and "Informational-Psychological" groups. The former encompasses network operations relating to defense, attack, and exploitation and the latter to "attempts to change people's behavior or beliefs in favor of Russian governmental objectives."

Zeus is a Trojan horse malware package that runs on versions of Microsoft Windows. It is often used to steal banking information by man-in-the-browser keystroke logging and form grabbing. Zeus is spread mainly through drive-by downloads and phishing schemes. First identified in July 2007 when it was used to steal information from the United States Department of Transportation, it became more widespread in March 2009. In June 2009 security company Prevx discovered that Zeus had compromised over 74,000 FTP accounts on websites of such companies as the Bank of America, NASA, Monster.com, ABC, Oracle, Play.com, Cisco, Amazon, and BusinessWeek. Similarly to Koobface, Zeus has also been used to trick victims of technical support scams into giving the scam artists money through pop-up messages that claim the user has a virus, when in reality they might have no viruses at all. The scammers may use programs such as Command prompt or Event viewer to make the user believe that their computer is infected.

<span class="mw-page-title-main">Chinese espionage in the United States</span>

The United States has often accused the People's Republic of China of attempting to unlawfully acquire U.S. military technology and classified information as well as trade secrets of U.S. companies in order to support China's long-term military and commercial development. Chinese government agencies and affiliated personnel have been accused of using a number of methods to obtain U.S. technology, including espionage, exploitation of commercial entities, and a network of scientific, academic and business contacts. Prominent espionage cases include Larry Wu-tai Chin, Katrina Leung, Gwo-Bao Min, Chi Mak, Peter Lee, and Shujun Wang. The Ministry of State Security (MSS) maintains a bureau dedicated to espionage against the United States, the United States Bureau.

Cyberwarfare is the use of computer technology to disrupt the activities of a state or organization, especially the deliberate attacking of information systems for strategic or military purposes. As a major developed economy, the United States is highly dependent on the Internet and therefore greatly exposed to cyber attacks. At the same time, the United States has substantial capabilities in both defense and offensive power projection thanks to comparatively advanced technology and a large military budget. Cyberwarfare presents a growing threat to physical systems and infrastructures that are linked to the internet. Malicious hacking from domestic or foreign enemies remains a constant threat to the United States. In response to these growing threats, the United States has developed significant cyber capabilities.

Cyberwarfare by China is the aggregate of cyberattacks attributed to the organs of the People's Republic of China and various related advanced persistent threat (APT) groups.

Shamoon, also known as W32.DistTrack, is a modular computer virus that was discovered in 2012, targeting then-recent 32-bit NT kernel versions of Microsoft Windows. The virus was notable due to the destructive nature of the attack and the cost of recovery. Shamoon can spread from an infected machine to other computers on the network. Once a system is infected, the virus continues to compile a list of files from specific locations on the system, upload them to the attacker, and erase them. Finally the virus overwrites the master boot record of the infected computer, making it unusable.

Trustwave is an American cybersecurity subsidiary of The Chertoff Group. It focuses on providing managed detection and response (MDR), managed security services (MSS), database security, and email security to organizations around the globe.

<span class="mw-page-title-main">PLA Unit 61398</span> Chinese advanced persistent threat unit

PLA Unit 61398 is the Military Unit Cover Designator (MUCD) of a People's Liberation Army advanced persistent threat unit that has been alleged to be a source of Chinese computer hacking attacks. The unit is stationed in Pudong, Shanghai, and has been cited by US intelligence agencies since 2002.

Cyberwarfare is a part of the Iranian government's "soft war" military strategy. Being both a victim and wager of cyberwarfare, Iran is considered an emerging military power in the field. Since November 2010, an organization called "The Cyber Defense Command" has been operating in Iran under the supervision of the country's "Passive Civil Defense Organization" which is itself a subdivision of the Joint Staff of Iranian Armed Forces.

<span class="mw-page-title-main">Operation Newscaster</span>

"Operation Newscaster", as labelled by American firm iSIGHT Partners in 2014, is a cyber espionage covert operation directed at military and political figures using social networking, allegedly done by Iran. The operation has been described as "creative", "long-term" and "unprecedented". According to iSIGHT Partners, it is "the most elaborate cyber espionage campaign using social engineering that has been uncovered to date from any nation".

CrowdStrike Holdings, Inc. is an American cybersecurity technology company based in Austin, Texas. It provides endpoint security, threat intelligence, and cyberattack response services.

The Democratic National Committee cyber attacks took place in 2015 and 2016, in which two groups of Russian computer hackers infiltrated the Democratic National Committee (DNC) computer network, leading to a data breach. Cybersecurity experts, as well as the U.S. government, determined that the cyberespionage was the work of Russian intelligence agencies.

Cylance Inc. is an American software firm based in Irvine, California, that develops antivirus programs and other kinds of computer software that prevents viruses and malware.

<span class="mw-page-title-main">NSO Group</span> Israeli cyber-espionage and malware firm

NSO Group Technologies is an Israeli cyber-intelligence firm primarily known for its proprietary spyware Pegasus, which is capable of remote zero-click surveillance of smartphones. It employed almost 500 people as of 2017.

Rocket Kitten or the Rocket Kitten Group is a hacker group thought to be linked to the Iranian government. The threat actor group has targeted organizations and individuals in the Middle East, particularly Israel, Saudi Arabia, Iran as well as the United States and Europe.

DarkMatter Group is a computer security company founded in the United Arab Emirates (UAE) in 2014 or 2015. The company has described itself as a purely defensive company, however in 2016, it became a contractor for Project Raven, to help the UAE surveil other governments, militants, and human rights activists. It has employed former U.S. intelligence operatives and graduates of the Israel Defense Force technology units.

Charming Kitten, also called APT35, Phosphorus or Mint Sandstorm, Ajax Security, and NewsBeef, is an Iranian government cyberwarfare group, described by several companies and government officials as an advanced persistent threat.

<span class="mw-page-title-main">Russo-Ukrainian cyberwarfare</span> Informatic component of the confrontation between Russia and Ukraine

Cyberwarfare is a component of the confrontation between Russia and Ukraine since the Revolution of Dignity in 2013-2014. While the first attacks on information systems of private enterprises and state institutions of Ukraine were recorded during mass protests in 2013, Russian cyberweapon Uroburos had been around since 2005. Russian cyberwarfare continued with the 2015 Ukraine power grid hack at Christmas 2015 and again in 2016, paralysis of the State Treasury of Ukraine in December 2016, a Mass hacker supply-chain attack in June 2017 and attacks on Ukrainian government websites in January 2022.

References

  1. Finkle, Jim (December 13, 2014). Christian Plumb (ed.). "Exclusive: Iran hackers may target U.S. energy, defense firms, FBI warns". Reuters . Retrieved March 30, 2015.
  2. 1 2 Riley, Michael A; Robertson, Jordan (December 2, 2014). "Iran-Backed Hackers Target Airports, Carriers: Report". Bloomberg News . Retrieved March 30, 2015.
  3. 1 2 Plummer, Quinten (December 15, 2014). "Operation Cleaver is Bigger Threat than Previously Thought, FBI Warns US Businesses". Tech Times. Retrieved March 30, 2015.
  4. Bertrand, Natasha (December 8, 2014). "Iran Is Officially A Real Player In The Global Cyber War". Business Insider . Retrieved March 30, 2015.
  5. 1 2 3 4 Finkle, Jim (December 2, 2014). Richard Valdmanis, Christian Plumb and W Simon (ed.). "Iran hackers targeted airlines, energy firms: report". Reuters . Retrieved March 30, 2015.
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.