If you track cyber security you have no doubt heard of the recently published report by Cylance titled Operation Cleaver. It has been extensively referenced in the press and has generated significant dialog among practitioners, pundits and policy wonks including on Twitter with the hashtag #OpCleaver. The report was so good and so well documented it resulted in the FBI taking the action of publishing special alerts warning infrastructure providers of possible Iranian cyber attacks. This was a very important report.
Here is a gist of the report from Cylance:
- A new global cyber power has emerged; one that has already compromised some of the world’s most critical infrastructure. The Operation Cleaver report sheds light on the efforts of a coordinated and determined group working to undermine the security of at least 50 companies across 15 industries in 16 countries. Our report unveils the tactics, techniques and procedures used in what is still an ongoing campaign.
- Operation Cleaver has, over the past several years, conducted a significant global surveillance and infiltration campaign. To date it has successfully evaded detection by existing security technologies. The group successfully leveraged both publicly available and customized tools to attack and compromise targets around the globe, including military, oil and gas, energy and utilities, transportation, hospitals, telecommunications, technology, education, aerospace, defense contractors, chemical, companies, and governments.
- Since at least 2012, Iranian actors have directly attacked, established persistence in, and extracted highly sensitive materials from the networks of government agencies and major critical infrastructure companies in the following countries: Canada, China, England, France, Germany, India, Israel, Kuwait, Mexico, Pakistan, Qatar, Saudi Arabia, South Korea, Turkey, United Arab Emirates, and the United States.
The report provides a sound-bite sized statement that “Iran is the new China.” That is designed to make us think and I’m glad they wrote that. But as an intelligence professional I would like to add that the motivations of these actors appear to be different. China seems primarily motivated by espionage, with the strategic military potential of cyber attacks a secondary but also important consideration. These Iranian attacks appear to be more sinister, motivated by a desire to have a strategic weapon at their disposal. The importance of this nuance may only be relevant to policy makers seeking to deter these actors from their objectives. That too is something to put some thought into, since both are totally different collectives of totally different actors.
The report makes the point that in many ways attribution offers little real benefit to the day-to-day cyber defender. Cylance writes that this level of attribution can aid law enforcement. We agree with the latter point, of course, this can be of use to law enforcement. But would like that there is another school of thought regarding intelligence informing cyber defense. We believe this report can serve enterprises as yet another strategic intelligence input, which can be useful in helping organizations plan their defenses.
Overall, our assessment is that although the report is short, it is to the point, and very insightful. Our recommendations:
- We most strongly recommend you read it in its entirety. It will give you a much better feel for the quality of work by the team at Cylance and help you understand the nature of this threat better.
- Please consider sharing the Cylance report. Cylance has documented a very important evolution of the cyber threat, one we believe all citizens, not just defenders, need to better understand. I believe we are all doing civilization a favor when we spread the word on good works like this, and hope you will consider sharing the Cylance Operation Cleaver report widely.
Download the report here: Operation Cleaver
Additional Reporting
Russian State-Sponsored Cyber Actors Targeting Network Infrastructure Devices