Inside Iran’s Operation Cleaver

While the US Cyber Command has been focusing on the Chinese, North Koreans, and the Russians, and their respective intrusions into the networks of US companies, energy utilities, our military, and government agencies, Iran has been creating a world-class cyber-ops unit of their own.  Details about what is being called “Operation Cleaver” has been released by security company Cylance.

The Iranian Cyber Army started operations in the early 2000’s.  It has transformed from a small group that focused on political web site defacements, denial of service attacks, and other low level cyber-operations into a potent, world class cyber operations unit.

Partly as revenge for the joint US/Israeli “Olympic Games” operation involving Stuxnet, Flame, and Duqu malware exploits, Iranian cyber-operations assets have been attacking US and other Western resources since at least 2012.

An example of Iran’s improved capabilities was demonstrated in 2012’s Shamoon campaign, which attacked RasGas and Saudi Aramco. Shamoon caused the physical destruction of hard drives in over 30,000 computers and remediation cost tens-of-thousands of hours and millions of dollars.

Iran followed up with Operation Ababil in 2012 and 2013, a denial of service operation targeting banks in the United States.  Then Iran hacked into US Navy Marine Corp Internet computers worldwide,  and lauched a sustained barrage against Israeli power, water, and banking computer systems in 2013.  An espionage campaign named Operation Saffron Rose and waterhole attack Operation Newscaster were launched in 2014.

With Operation Cleaver, Iranian cyber-warriors have set up a world-wide network penetration and surveillance program.  They have breached networks, established a persistent foothold in servers and other equipment, and exfiltrated sensitive information from governments and critical infrastructure operators.

Countries affected include the United States, Canada, Mexico, England, France, Germany, India, China, South Korea, Israel, Kuwait, Pakistan, Qatar, Saudi Arabia, Turkey, and the United Arab Emirates.  The targeted organizations include governments, militaries, oil and gas production and transportation, energy and utilities, electrical transmission, transportation, airlines, airports, hospitals, telecommunications and Internet, technology, education, aerospace, defense industries, and chemical companies.

The Cylance whitepaper goes on to 86 pages, which makes it a long read, but if you are running computer operations in one of the targeted industrial sectors, you ought to put it on the top of your reading list.  There are lots of very specific indications of compromise, and details about cyber tools and even the names of some of the Iranian team members.

More information:


About the Author:

Cybersecurity guru to business owners in the St Paul, Minneapolis, and western Wisconsin area. Computer security and hacking have been a passion of mine since I entered the computer and networking business in 2000. In 2013 I completed a course of study and certification exam to become a Certified Ethical Hacker (CEH). In 2016 I was certified as a Certified Information Systems Security Professional (CISSP). As Cybersecurity Analyst at The WyzCo Group, I help our clients experience high levels of computer security, network security, and web site security. In addition to consulting on security products and services, we also conduct security audits, vulnerability assessments and full penetration tests. We also provide Cybersecurity Awareness Training for clients and their employees. We also work with companies and organizations that need to certify compliance with regulations such as PCI-DSS (credit card processing), HIPAA/HITECH (medical records), and GLBA. The views expressed on this Web site are mine alone and do not necessarily represent the views of my employer.
  Related Posts

Add a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.