New research from Cylance places the blame for a series of coordinated attacks against critical industries on a group of Iranian-sponsored hackers.
In a more than 80-page report, Cylance researchers state that the operation goes back more than two years, and is tied to a collection of individual contractors and a hacking team posing as a construction engineering firm in Tehran. Dubbing it ‘Operation Cleaver’, the researchers uncovered evidence of dozens of victimized organizations, from energy companies to oil, gas and telecommunications firms. Other targets include airlines, airports, government agencies and universities.
“We discovered the scope and damage of these operations during investigations of what we thought were separate cases,” said Stuart McClure, CEO of Cylance, in a statement. “Due to the choice of critical infrastructure victims and the Iranian team’s quickly improving skillset, we are compelled to publish this report. By exposing our intelligence on Cleaver, we hope the information we share can reveal the techniques and tools of this group, drawing global attention to attacks on critical infrastructure and preventing attacks which could endanger human lives.”
The attackers first went after intelligence on facilities and employees at the targeted organization, but then later were able to completely compromise systems and networks. The attackers were able to steal large swaths of data, including sensitive employee information and PDFs of network, housing, telecom and electricity diagrams.
“Perhaps the most bone-chilling evidence we collected in this campaign was the targeting and compromise of transportation networks and systems such as airlines and airports in South Korea, Saudi Arabia and Pakistan,” according to the Cylance report. “The level of access seemed ubiquitous: Active Directory domains were fully compromised, along with entire Cisco Edge switches, routers, and internal networking infrastructure. Fully compromised VPN credentials meant their entire remote access infrastructure and supply chain was under the control of the Cleaver team, allowing permanent persistence under compromised credentials. They achieved complete access to airport gates and their security control systems, potentially allowing them to spoof gate credentials. They gained access to PayPal and Go Daddy credentials allowing them to make fraudulent purchases and allowed unfettered access to the victim’s domains.”
In its report, Cylance explained that after multiple incident response engagements, researchers were able to identify a small set of IP addresses commonly used during the initial stages of the attacks. The IP address 184.108.40.206 served as a source for one of the primary attackers, who used this address when conducting SQL injections, controlling backdoors and exfiltrating information. The address also appeared in multiple software configurations recovered from staging servers over a period of time.
The IP address is owned Tarh Andishan.
“Tarh Andishan is listed as the registrant for a number of small net blocks based upon the email address tarh.andishan(at)yahoo.com,” according to the report. “The net blocks appear to rotate over time and registrant information is altered to accommodate ongoing operations and avoid potential public exposure.”
There are many seemingly legitimate Tarh Andishan related companies inside Tehran, but strong connections to Iranian backing have been difficult to prove definitively, the report continued.
“The net blocks…have strong associations with state-owned oil and gas companies,” according to the report. “These companies have current and former employees who are ICS experts. Tarh Andishan has been suspected in the past of launching attacks in the interest of Iran. The operators of the blog IranRedLine.org, which comments on Iran’s nuclear weapons efforts, has mentioned in multiple posts having been the target of debilitating brute-force authentication attacks from IP addresses registered to the same Tarh Andishan team found in Cleaver.”
All totaled, more than 50 organizations have been hit in the attacks, which are ongoing. The victims have been spread throughout the world, including inside the United States, England, South Korea and Israel.
The initial compromise often happened via SQL injection, spear-phishing and web attacks. To pivot throughout the network, the attackers used public exploits for MS08-067 and Windows privilege escalation bugs alongside automated, worm-like propagation mechanisms, Cylance reported. The attackers also used customized private tools with functions such as ARP poisoning, encryption, credential dumping and process enumeration.
Unlike Stuxnet, there is no evidence that has been uncovered of zero-days being used. Cylance also did not discover any direct evidence of a successful compromise of specific industrial control systems (ICS) or supervisory control and data acquisition (SCADA) networks. However, the attackers were able to compromise Microsoft Windows web servers running IIS and ColdFusion, Linux servers, Apache with PHP and many variants of Microsoft Windows desktops and servers. Compromised network infrastructure included Cisco VPNs as well as Cisco switches and routers.
According to Reuters, an Iranian official denied any government involvement in the attacks.