Inside Iran’s Operation Cleaver

While the US Cyber Command has been focusing on the Chinese, North Koreans, and the Russians, and their respective intrusions into the networks of US companies, energy utilities, our military, and government agencies, Iran has been creating a world-class cyber-ops unit of their own.  Details about what is being called “Operation Cleaver” has been released by security company Cylance.

The Iranian Cyber Army started operations in the early 2000’s.  It has transformed from a small group that focused on political web site defacements, denial of service attacks, and other low level cyber-operations into a potent, world class cyber operations unit.

Partly as revenge for the joint US/Israeli “Olympic Games” operation involving Stuxnet, Flame, and Duqu malware exploits, Iranian cyber-operations assets have been attacking US and other Western resources since at least 2012.

An example of Iran’s improved capabilities was demonstrated in 2012’s Shamoon campaign, which attacked RasGas and Saudi Aramco. Shamoon caused the physical destruction of hard drives in over 30,000 computers and remediation cost tens-of-thousands of hours and millions of dollars.

Iran followed up with Operation Ababil in 2012 and 2013, a denial of service operation targeting banks in the United States.  Then Iran hacked into US Navy Marine Corp Internet computers worldwide,  and lauched a sustained barrage against Israeli power, water, and banking computer systems in 2013.  An espionage campaign named Operation Saffron Rose and waterhole attack Operation Newscaster were launched in 2014.

With Operation Cleaver, Iranian cyber-warriors have set up a world-wide network penetration and surveillance program.  They have breached networks, established a persistent foothold in servers and other equipment, and exfiltrated sensitive information from governments and critical infrastructure operators.

Countries affected include the United States, Canada, Mexico, England, France, Germany, India, China, South Korea, Israel, Kuwait, Pakistan, Qatar, Saudi Arabia, Turkey, and the United Arab Emirates.  The targeted organizations include governments, militaries, oil and gas production and transportation, energy and utilities, electrical transmission, transportation, airlines, airports, hospitals, telecommunications and Internet, technology, education, aerospace, defense industries, and chemical companies.

The Cylance whitepaper goes on to 86 pages, which makes it a long read, but if you are running computer operations in one of the targeted industrial sectors, you ought to put it on the top of your reading list.  There are lots of very specific indications of compromise, and details about cyber tools and even the names of some of the Iranian team members.

More information:


About the Author:

Cybersecurity analyst, pen-tester, trainer, and speaker. Serving small business owners in the St Paul, Minneapolis, and western Wisconsin area since 2001. Cybersecurity and hacking have been a passion of mine since I entered the computer and networking business in 2000. I hold several cybersecurity certifications including Certified Information Systems Security Professional (CISSP), Certified Advanced Security Pratitioner (CASP), and Certified Ethical Hacker (CEH). Other computer industry certifications include A+, Network+ and Microsoft Certified System Engineer (MCSE). As Cybersecurity Analyst at The WyzCo Group, I help our clients experience high levels of security on their computers, networks, and websites. In addition to consulting on security products and services, we also conduct security audits, vulnerability assessments and full penetration tests. We also work with companies and organizations that need to certify compliance with regulations such as PCI-DSS (credit card processing), HIPAA/HITECH (medical records), and GLBA. We also provide Cybersecurity Awareness Training for clients and their employees. I am a frequent speakers at cybersecurity conferences such as the Minnesota Bloggers Conference, Secure360 Security Conference, the (ISC)2 World Congress, and the ISSA International Conference, and many local community organizations, Chambers of Commerce, SCORE, and several school districts. I have been blogging on cybersecurity since 2008.
  Related Posts

Add a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.