Report: Iranian Hackers Took “Bone-Chilling” Control over Airports in 3 Countries

New details are emerging about the report released yesterday by the American cyber security firm Cylance, concerning Iran’s aggressive global cyber-attacks. Cylance has dubbed the Iranian campaign “Operation Cleaver.”

Computerworld reports:

The attackers used publicly available attack tools and exploits, as well as specialized malware programs they created themselves. Cylance believes the team consists of at least 20 hackers and developers who support Iranian interests and were probably recruited from the country’s universities.

“The infrastructure utilized in the campaign is too significant to be a lone individual or a small group,” the Cylance researchers said. “We believe this work was sponsored by Iran.”

Furthermore, Computerworld reports that the IP addresses from which the attacks were traced “have strong associations with [Iranian] state-owned oil and gas companies.”

Bloomberg quoted an expert about the Iranian hackers’ sophistication:

“Russians are the most sophisticated and most capable outside the U.S. The Chinese bring to bear staggering numbers of people and computers. Iran is probably between those two,” said retired Admiral William Fallon, head of the U.S. Central Command until 2008. “They are pretty good and they are motivated.”

The Iranian hacking efforts are largely overseen by the Iranian Revolutionary Guard Corps, Fallon said.

The Bloomberg report also cited Reuel Marc Gerecht, a senior fellow at the Foundation for Defense of Democracies, who observed that any information the Iranian hackers obtained “about global air transportation networks could be passed to militants and insurgent groups allied with Tehran.”

Bloomberg also notes that the targeting of South Korean enterprises suggests Iranian cooperation with North Korea.

The Bloomberg report concludes:

The report paints a picture of a persistent, aggressive operation aimed at undermining vital components of nations’ transportation systems, and highlights the growing danger that state-sponsored hacking poses to civilian infrastructure.

“If you’ve gone from financial to oil and gas and you’re switching to avionics, you’re talking about the whole of critical infrastructure,” said Joe DeTrani, former senior adviser to the U.S. Director of National Intelligence and president of the Intelligence and National Security Alliance. “If one is looking at the battlespace, certainly the air, avionics and airports and related facilities would be part of the equation.”

The New York Times explains specifically how Iran and its allies could exploit the information the hackers accessed:

But the “most bone-chilling evidence” Cylance said it collected was of attacks on transportation networks, including airlines and airports in South Korea, Saudi Arabia and Pakistan. Researchers said they had found evidence that hackers had gained complete remote access to airport gates and security control systems, “potentially allowing them to spoof gate credentials.”

Bloomberg noted that a terror attack launched by the Taliban in June at Jinnah International Airport in Karachi, Pakistan, occurred at a gate that had been hacked by the Iranians. It wasn’t clear, though, if the hacked information was used to facilitate the attack.

Cylance CEO Scott McClure lamented that many corporate networks have failed to keep up with the sophistication of attackers. Citing his hope that the report on Operation Cleaver would “[disturb] that status quo” that exists in the field of cyber security, McClure clearly identified the full scope of the threat from Iran.

The Operation Cleaver report documents how Iran is the first highly motivated Western world adversary poised to execute serious attacks against global infrastructure, not just targeting the United States, but the critical infrastructure of over a dozen different countries. They aren’t looking for credit cards or microchip designs, they are fortifying their hold on dozens of networks that if crippled would affect the lives of billions of people. Over two years ago the Iranians deployed the Shamoon malware on Saudi Aramco, the most destructive attack against a corporate network to date, digitally destroying three quarters of Aramco’s PCs. Such an attack is just the beginning, it serves as a proof of concept to prove that such large scale and devastating attacks are not only possible but impending.

[Photo: david pacey / Flickr ]