Hackers From Iran Breached Critical Infrastructure, Airport, Airline Networks

Media Division | December 11, 2014

A group of Iranian hackers has breached networks and computers belonging to more than 16 countries and 50 organizations for the past few years. The affected sectors include defense contractors, military installations, hospitals, universities, and airlines.

The hacker group has been dubbed ‘Operation Cleaver’ and many of the victims breached by the group are based in United Arab Emirates, Kuwait, Qatar, and Saudi Arabia. 10 of the victims are based in the United States and include an automobile maker, an energy company, a medical university, and a major airline. Organizations in England, France, Canada, Germany, Turkey, Pakistan, Israel and India have also been targeted.

According to the reporting organization Cylance, these state sponsored cybergroups can be just as good a threat as some of their better-reputed counterparts in other nations. ‘Operation Cleaver’ is a term with a frequent occurrence in the hacking group’s code and it has infiltrated systems containing a lot of intellectual property, critical and confidential data, and trade secrets.

However, unlike hackers in China and Russia, who mostly target financial data and IP addresses, the group from Iran has mostly avoided targeting such data, and has instead focused on collecting data such as sensitive employee information and staff schedule, documents related to electricity, housing and telecom infrastructure, identification photos, and network topologies.

The pattern of the breach and the kind of data being targeted indicates that the hackers are scoping networks before conducting reconnaissance on them as if there could be a major assault inflicted on them sometime in the future. Cylance revealed in its report that the group’s compromise of airports and airlines in Pakistan, Saudi Arabia and South Korea is quite troubling.

“The level of access seemed ubiquitous: Active Directory domains were fully compromised, along with entire Cisco Edge switches, routers, and internal networking infrastructure.”

In some of the cases, the hacking group took complete control over supply chains and remote access infrastructures of the victims. The group even achieved complete access to security control systems and airport gates at one of the airports, enabling members to spoof airport gate credentials.

Researchers also said:

“They gained access to PayPal and Go Daddy credentials allowing them to make fraudulent purchases and allowed unfettered access to the victim’s domains. We witnessed a shocking amount of access into the deepest parts of these companies and the airports in which they operate.”

In most of the attacks, the tactics utilized by the group to infiltrate systems and networks are similar to the ones used by other hacking groups. They used spear phishing, water holding attacks, and SQL injection attacks in a combination of public and custom-designed malware tools.

What can organizations do to prevent such attacks?

Military agencies, defense contractors, airports and airlines need to adopt a proactive approach to prevent such attacks and mitigate the damage. The Cylance report revealed that the group increasingly relied on tools that infect malware.

In such cases, options like threat intelligence feeds can help organizations actively discover compromised locations and cross-index them to determine if their digital infrastructure and sensitive information is actively being siphoned of information.

Also, new groups that conduct such cyber attacks and new threats are almost emerging every passing year. As a result, real-time actionable intelligence is vital for companies as it enables them to apply proactive actions and counter-measures to protect their digital infrastructure and security.

Massive's Media Division publishes timely news and insights based on current events, trends, and actionable cross-industry expertise.