Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Iranian hackers compromised airlines, airports, critical infrastructure companies

Lucian Constantin | Dec. 3, 2014
For the past two years, a team of Iranian hackers has compromised computers and networks belonging to over 50 organizations from 16 countries, including airlines, defense contractors, universities, military installations, hospitals, airports, telecommunications firms, government agencies, and energy and gas companies.

For the past two years, a team of Iranian hackers has compromised computers and networks belonging to over 50 organizations from 16 countries, including airlines, defense contractors, universities, military installations, hospitals, airports, telecommunications firms, government agencies, and energy and gas companies.

The attacks have collectively been dubbed Operation Cleaver after a string found in various malware tools used by the hacker group, which is believed to operate primarily out of Tehran.

"We discovered over 50 victims in our investigation, distributed around the globe," said researchers from IT security firm Cylance in an extensive report released Tuesday. "Ten of these victims are headquartered in the US and include a major airline, a medical university, an energy company specializing in natural gas production, an automobile manufacturer, a large defense contractor, and a major military installation."

Other victims were identified in Canada, China, England, France, Germany, India, Israel, Kuwait, Mexico, Pakistan, Qatar, Saudi Arabia, South Korea, Turkey and the United Arab Emirates.

The attackers used publicly available attack tools and exploits, as well as specialized malware programs they created themselves. Cylance believes the team consists of at least 20 hackers and developers who support Iranian interests and were probably recruited from the country's universities.

"The infrastructure utilized in the campaign is too significant to be a lone individual or a small group," the Cylance researchers said. "We believe this work was sponsored by Iran."

The type of access the hackers obtained inside various organizations and the data they stole varied widely. In the case of universities, they targeted research data, student information, student housing, as well as identifying information, pictures and passports. In the case of critical infrastructure companies, they stole sensitive information that could allow them or affiliated organizations to sabotage industrial control systems and SCADA (supervisory control and data acquisition) environments, the Cylance researchers said.

No evidence of such sabotage by the group exists so far, but Cylance believes this could be the campaign's end goal, as retaliation by Iran for the Stuxnet, Duqu and Flame malware attacks. Stuxnet, which is viewed as the world's first cyberweapon, is believed to have been created by the U.S. and Israel to sabotage Iran's uranium enrichment efforts and set back its nuclear program.

"Perhaps the most bone-chilling evidence we collected in this campaign was the targeting and compromise of transportation networks and systems such as airlines and airports in South Korea, Saudi Arabia and Pakistan," the Cylance researchers said. "The level of access seemed ubiquitous: Active Directory domains were fully compromised, along with entire Cisco Edge switches, routers, and internal networking infrastructure."

"They achieved complete access to airport gates and their security control systems, potentially allowing them to spoof gate credentials," the researchers said. "They gained access to PayPal and Go Daddy credentials allowing them to make fraudulent purchases and allowed unfettered access to the victim's domains. We witnessed a shocking amount of access into the deepest parts of these companies and the airports in which they operate."

 

1  2  Next Page 

Sign up for CIO Asia eNewsletters.