The Iranian hacker team has been dubbed Tarh Andishan — translated into English as "thinkers" or "innovators" — because some of its operations were traced back to blocks of IP (Internet Protocol) addresses registered to an entity called Tarh Andishan in Tehran.
"The net blocks above have strong associations with state-owned oil and gas companies," the Cylance researchers said. "These companies have current and former employees who are ICS [industrial control system] experts."
The Tarh Andishan hackers used common SQL injection, spear phishing or watering hole attacks to gain initial access to one or more computers of a targeted organization. They then used privilege escalation exploits and other tools to compromise additional systems and move deeper inside its network. However, no zero-day exploits, which are exploits for previously unknown vulnerabilities, were observed.
The group's primary tool is a custom Trojan program called TinyZBot that was created by its developers. However, Cylance has released more than 150 tools, malware samples and indicators of compromise associated with the group's activity in order to help the security industry detect existing and future Operation Cleaver compromises.
"The Operation Cleaver report documents how Iran is the first highly motivated Western world adversary poised to execute serious attacks against global infrastructure, not just targeting the United States, but the critical infrastructure of over a dozen different countries," said Stuart McClure, Cylance's CEO and President, in a blog post. "They aren't looking for credit cards or microchip designs, they are fortifying their hold on dozens of networks that if crippled would affect the lives of billions of people."
Sign up for CIO Asia eNewsletters.