Last year, we discovered that Iranian hackers had breached Navy computer systems, which sent an understandable wave of panic through the administration. But it looks like that might’ve just been the tip of a much bigger, more sophisticated and more deadly iceberg.
According to a just-released report from U.S. security firm Cylance, a team of hackers, believed to be Iranian and working under the name ‘Cleaver’, have been targeting military and civil infrastructure in the US and other countries for the last two years. The team has used a range of techniques to attack targets like hospitals, energy companies, military targets and transport infrastructure, stealing information and compromising the security of some systems. Countries attacked include the the ones you’d expect — US, Canada and UK — but also perhaps some you wouldn’t, like China, the United Arab Emirates and Qatar.
While Cylance says that no ‘critical’ infrastructure has been directly compromised — no-one’s going to be shutting down the power grid quite yet — that doesn’t make the breaches any less scary, especially when you consider things like airport security systems have been hacked, potentially paving the way for the physical security of an airport to be breached.
Although the range and breadth of attacks on display is reasonably comprehensive, making it likely that this is the work of either a large organisation or a nation-state, the types of attack are nothing particularly groundbreaking. A combination of techniques was used, and all of it should be familiar to anyone with a passing interest in security: SQL injection, a decades-old technique to sneak commands into a database; spear-phishing, the art of sending very specific and well-crafted spam to key individuals within a corporation; and using public exploits in common software like Windows to get administrator access to systems.
While there’s no one smoking gun pointing directly to Iran, Cylance presents a reasonably compelling wealth of circumstantial evidence pointing back to Iran. The attacks have mostly come from IP addresses that are Iranian in origin, and have been linked to previous attacks on anti-government Iranian websites before. The infrastructure and domain names behind many of the attacks are registered in Iran. Most interestingly, analysis of one of the team’s custom tools revealed a built-in warning that alerted the user if their public IP location was showing as being Iran.
That said, it’s worth bearing in mind that all that evidence could just as easily be someone wanting to frame Iran for a series of cyberattacks. Although Cylance makes a compelling case that Iran wants revenge for the Stuxnet attacks, and could also do with some leverage in the ongoing nuclear negotiations, there’s probably a long list of other nations and organisations that would love to steal trade and military secrets from a list of governments around the world.
Iran, for its part, has denied the allegations, as you’d imagine it would. “This is a baseless and unfounded allegation fabricated to tarnish the Iranian government image, particularly aimed at hampering current nuclear talks,” Hamid Babaei, a Iranian spokesperson, told Reuters. Although the denial is exactly what you’d expect, it also touches on one interesting point: the timing of the release of the report.
Although the attacks have been ongoing for the last two years, Cylance has only just released its report, painting Iran in a bad light diplomatically, in the midst of an important round of nuclear talks. It’s interesting to note that the last time we heard about Iranian hacking (that US Navy exploit), it was also on the eve of nuclear talks. It will also be fascinating to see what, if any, backlash Iran receives from the long list of big countries it’s just (seemingly) pissed off. [Reuters, Cylance]