Operation Cleaver

The book Hacking Exposed has long been on my bookshelf and is a favorite of mine. Its author, Stuart McClure, who is well-known in the security industry and who is founder and CEO of the security firm Cylance, wrote a passionate introduction to his company’s report on Iranian cyber-attack technology and cyber-exploits dubbed Operation Cleaver. After reading this introduction, I decided to dive deeply into the report.

The report calls Iran the “new China” relative to cyber-attack technology. Well, no, but it does force the many targeted governments to put Iran on their cyber-watch-lists. Iran not only has some sophisticated cyber-attack technology, it appears to be even more brazen than China or North Korea about going after infrastructure around the world. The report claims there have been attacked targets in: military, oil and gas, energy and utilities, transportation, airlines, airports, hospitals, telecommunications, technology, education, aerospace, Defense Industrial Base (DIB), chemical companies, and governments.

The report reminds us that Iran was damaged by Stuxnet (2009-10), Duqu (2009-11), and Flame (2012). It reasonably speculates that these attacks motivate Iran to fund the development of advanced cyber-attack technology. It also points out that Iran has a relevant technology exchange agreement with North Korea.

The report lists as possible retaliation, the 2011 certificate compromises of Comodo and DigiNotar as well as the 2012 Shamoon campaign on RasGas and Saudi Aramco that impacted over 30,000 computers. In late 2012 and early 2013 further Iranian backlash consisted of DDoS attacks on US banks. In 2014, espionage operation Saffron Rose (attacking the US defense industry; the Fireeye report is excellent) and operation Newscaster (uses social media to collect email credentials of US and Israeli journalists, military and diplomatic personnel) are attributed to Iran.

Operation Cleaver seems to be staffed by a team of known and new players, some of whose members are described in the report. While Cleaver uses existing code, its new code seems to date from 2012, and its earliest attacks start in roughly 2013.

The hacking techniques of operation Cleaver are discussed in depth by the report. This depth and associated attribution to Iran were enough to convince me that operation Cleaver, and by association other Iranian cyber-attack teams, are serious threats.

I strongly recommend to all in the security industry: please read this report in detail. It is here. After being published, the FBI subsequently issued one of its “confidential flash” reports warning certain companies of potential Iranian attacks. [I haven’t seen its text.] McClure commented on the FBI “flash” that perhaps Iranian the potential for cyber-attacks is larger than Cylance’s initial research indicated. I would agree, there is no evidence indicating that the Cleaver team has subsumed Iran’s Ajax Security Team, The Iranian Cyber Army, and others. Finally, no one seems to understand the subtleties of Iranian supported, Iranian encouraged, Iranian tolerated, etc. for these groups, and the Cylance report provides no clues regarding Operation Cleaver’s government relationship.


Tags: , , , , , , , , , , , , , ,

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: