The hackers have compromised networks to such a degree they own networks of government agencies as well as key critical infrastructure companies in 16 countries, including the UK.
Although the two-year campaign targeted 15 different industries, most attacks have been on airlines and airports, energy, oil and gas, telecommunications companies and government agencies.
The group appears to work mainly from Tehran, Iran, but auxiliary team members were identified in other locations including the UK, the Netherlands and Canada, the report said.
Cylance said the report is aimed at raising awareness about the tools and techniques the hacker group uses, to help prevent cyber attacks that could endanger lives.
“We do everything we can to uncover the flaws in technologies before they damage the physical or cyber world,” said Stuart McClure, chief executive at Cylance.
“We have made every effort to notify all affected entities prior to publishing this report.”
READ MORE ABOUT CRITICAL INFRASTRUCTURE
- Industrial control systems: What are the security challenges?
- Is UK critical national infrastructure properly protected?
- Cyber threat moving to critical infrastructure, study shows
- Thales launches critical infrastructure cyber security lab
- Government considers future of national infrastructure strategy
- UK critical infrastructure at risk of cyber attack, says IET report
- Cert-UK deals with more CNI incidents in second quarter
The Operation Cleaver report focuses on a particular Iranian hacker group that uses malware that includes several instances of the word “cleaver”.
Cyalnce investigators have dubbed the group Tarh Andishan, which means “thinkers” or “innovators”.
“This team displays an evolved skillset and uses a complex infrastructure to perform attacks of espionage, theft, and the potential destruction of control systems and networks,” said McClure.
Although researchers have limited visibility inside many of the compromised networks, he said Tarh Andishan had compromised more than 50 networks since at least 2012.
The group uses custom and publicly available tools that use, among other methods, SQL Injection, spear phishing, water holing attacks, and a proprietary botnet infrastructure called tiny Zbot, the researchers found.
Utility, military and university targets
The hackers extracted large amounts of data, including sensitive employee information and schedule details, VPN credentials, identification photos, information about airport and airline security, video network and electricity diagrams, and security codes. The report said this suggested motives beyond stealing intellectual property or financial theft.
Targeted organisations include a company specialising in natural gas production, electric utility companies, oil and gas providers, a large defence contractor, a major US military installation, major airlines, a car maker, telecoms and technology companies, and several universities.
Through its approach of applying maths and machine learning to cyber security, Cylance said it uncovered previously undetected malware and attacks tied to the Iranian hacker team.
All nations need to be at a state of readiness and the investment in cyber defence must at the very least match the investment being made in attacks by adversaries, said TK Keanini, chief technology officer at security firm Lancope.
“This statement is only bone-chilling if you are not paying attention. The threat is real and defences are in a constant co-evolutionary spiral,” he said.