Inside Iran’s Operation Cleaver

While the US Cyber Command has been focusing on the Chinese, North Koreans, and the Russians, and their respective intrusions into the networks of US companies, energy utilities, our military, and government agencies, Iran has been creating a world-class cyber-ops unit of their own.  Details about what is being called “Operation Cleaver” has been released by security company Cylance.

The Iranian Cyber Army started operations in the early 2000’s.  It has transformed from a small group that focused on political web site defacements, denial of service attacks, and other low level cyber-operations into a potent, world class cyber operations unit.

Partly as revenge for the joint US/Israeli “Olympic Games” operation involving Stuxnet, Flame, and Duqu malware exploits, Iranian cyber-operations assets have been attacking US and other Western resources since at least 2012.

An example of Iran’s improved capabilities was demonstrated in 2012’s Shamoon campaign, which attacked RasGas and Saudi Aramco. Shamoon caused the physical destruction of hard drives in over 30,000 computers and remediation cost tens-of-thousands of hours and millions of dollars.

Iran followed up with Operation Ababil in 2012 and 2013, a denial of service operation targeting banks in the United States.  Then Iran hacked into US Navy Marine Corp Internet computers worldwide,  and lauched a sustained barrage against Israeli power, water, and banking computer systems in 2013.  An espionage campaign named Operation Saffron Rose and waterhole attack Operation Newscaster were launched in 2014.

With Operation Cleaver, Iranian cyber-warriors have set up a world-wide network penetration and surveillance program.  They have breached networks, established a persistent foothold in servers and other equipment, and exfiltrated sensitive information from governments and critical infrastructure operators.

Countries affected include the United States, Canada, Mexico, England, France, Germany, India, China, South Korea, Israel, Kuwait, Pakistan, Qatar, Saudi Arabia, Turkey, and the United Arab Emirates.  The targeted organizations include governments, militaries, oil and gas production and transportation, energy and utilities, electrical transmission, transportation, airlines, airports, hospitals, telecommunications and Internet, technology, education, aerospace, defense industries, and chemical companies.

The Cylance whitepaper goes on to 86 pages, which makes it a long read, but if you are running computer operations in one of the targeted industrial sectors, you ought to put it on the top of your reading list.  There are lots of very specific indications of compromise, and details about cyber tools and even the names of some of the Iranian team members.

More information:


About the Author:

Cybersecurity analyst, pen-tester, trainer, and speaker. Owner of the WyzCo Group Inc. In addition to consulting on security products and services, Bob also conducts security audits, compliance audits, vulnerability assessments and penetration tests. Bob also teaches Cybersecurity Awareness Training classes. Bob works as an instruction for CompTIA’s non-profit IT-Ready Program in the Twin Cities. IT-Ready is a tuition free 8-week program designed to teach students of all ages the fundamentals of IT support to prepare them for an entry level position in Information Technology Support. Graduates of the classes take the exams to become CompTIA A+ certified. Bob is a frequent speaker at conferences such as the Minnesota Bloggers Conference, Secure360 Security Conference2016, 2017, 2018, 2019, the (ISC)2 World Congress 2016, and the ISSA International Conference 2017, and many local community organizations, including Chambers of Commerce, SCORE, and several school districts. Bob has been blogging on cybersecurity since 2006 at
  Related Posts


Add a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.