A report released today by the security firm Cylance sheds new light on Iran's military hacking program, suggesting the country's capabilities may be far beyond what many expect. Over the past two years, a group tracked by Cylance has attacked more than 50 targets across 16 countries, including the US, South Korea, Israel, and Pakistan, in what researchers have dubbed "Project Cleaver." The group has paid particular attention to airlines, manufacturers, and defense contractors. In some cases, the group gained access to security control systems at airport gates, potentially allowing for forged gate credentials that would circumvent airport security. They also gained access to PayPal credentials and industrial control systems from other targets.
Attackers smuggled out files in emails touting discount Viagra
The group's methods are effective but not particularly novel, relying entirely on known vulnerabilities and phishing attacks. SQL injection often gave the group its first foothold in a system, although the attackers also sent targets phony job offers from defense contractors like Teledyne and Northrop Grumman. Once the first target was infected, they set to work accessing more powerful credentials, compiling master password lists, and smuggling them out to the master servers. Password files usually went to an anonymous FTP server hosted in California, but in one particularly clever example, the attackers smuggled out the files in emails touting discount Viagra, using the language of spam to ensure no one would look twice at the attachments.
It's a remarkable footprint for a program that has often been overlooked in favor of better-funded groups in Russia and China. In February, The Wall Street Journal reported an Iranian attack targeting US Navy networks, signaling that the country was beginning to retaliate after years as the target of sophisticated military malware. Cylance's new report only confirms the trend. The report also seems to have turned up a surprising amount of specific personal information, developing five separate dossiers on the individuals involved, although any identifiable information is still being withheld from the public.
Cylance's timeline of digital attacks targeting or launched by Iran, culminating in Project Cleaver.