SAN FRANCISCO >> Iranian hackers were identified in a report released Tuesday as the source of coordinated attacks against more than 50 targets in 16 countries, many of them corporate and government entities that manage critical energy, transportation and medical services.
Over the course of two years, according to Cylance, a security firm based in Irvine, California, Iranian hackers managed to steal confidential data from a long list of targets and, in some cases, infiltrated victims’ computer networks to such an extent that they could take over, manipulate, or easily destroy data on those machines.
Cylance called the attacks “Operation Cleaver” because the word “cleaver” frequently appeared in the attackers’ malicious code.
The New York Times was able to independently corroborate the firm’s findings with another security firm, Crowdstrike, which said it had been tracking the same group of Iranian hackers for the past nine months under a different alias, “Cutting Kitten.” (Kitten is the firm’s naming convention for attack groups based in Iran, a nod to the Persian cat.)
The hackers used a set of tools that can spy on and potentially shut down critical control systems and computer networks, aiming them at targets in the United States, Canada, Israel, India, Qatar, Kuwait, Mexico, Pakistan, Saudi Arabia, Turkey, the United Arab Emirates, Germany, France, England, China and South Korea.
Cylance would name only one of Cleaver’s victims — a Navy-Marine Corps network in San Diego that connects sailors, Marines and civilians across the United States — in its 86-page report. But it said other victims in the United States included a major airline, a medical university, an energy company that specializes in natural gas production, an automobile manufacturer, a major military installation and a large military contractor.
Cylance researchers said the hackers showed a penchant for oil and gas companies, compromising “no less than nine of these companies around the world.” They also zeroed in on universities in the United States, India, Israel and South Korea, and managed to steal pictures, passports and specific identifying information for students and faculty.
But the “most bone-chilling evidence” Cylance said it collected were attacks on transportation networks, including airlines and airports in South Korea, Saudi Arabia and Pakistan. Researchers said they found evidence that hackers had complete remote access to airport gates and security control systems, “potentially allowing them to spoof gate credentials.”
The Cylance report was released just hours after new details unfolded about a crippling cyberattack at Sony Pictures Entertainment. Security experts say that the attack at Sony, which leaked data and rendered many of the company’s computers unusable, has the hallmarks of similar attacks conducted by North Korea last year against South Korean banks and broadcasters.
The attack at Sony, and the newly disclosed attacks from Iran, have rattled security experts and officials, who say Iran and North Korea are the two adversaries they most worry about in cyberspace — not for their sophistication and skill but because they are motivated to cause destruction.
Iran was the victim of a series of cyberattacks by the United States and Israel, which included Stuxnet, a computer virus that was able to destroy a fifth of the centrifuges at an Iranian uranium enrichment facility. Since the discovery of Stuxnet in 2010, Iran has unleashed its own series of attacks, including a destructive attack at Saudi Aramco, in which hackers destroyed data on 30,000 Aramco computers, replacing their contents with the image of a burning American flag.
Iranian hackers are also believed to be behind a series of powerful denial-of-service attacks at U.S. banks that have intermittently taken down their online banking sites.