Operation Cleaver was an Iranian global surveillance and infiltration campaign.[^1] This group is believed to work from Tehran.[^1] Auxiliary team members were identified in the Netherlands, Canada, and the UK.[^1] Operation Cleaver uses publicly available and customized tools to compromise global targets.[^1] The goal of the operating is to establish a foothold in global critical infrastructure.[^1]
One target of Operation Cleaver was the hacking of unclassified US Navy computers in the San Diego Navy Marine Corp Intranet.[^1] The operation targeted energy utilities, commercial airliners, airports, military intelligence, aerospace, hospitals, and universities.[^1] Of the 50 identified victims, only 10 targets were located in the united states.[^1] 4 targets were in Israel, and 5 targets were in Pakistan.[^1] Domains used in the campaign were registered in Iran.[^1]
9 of the victims were oil and gas companies.[^1] The campaign also targeted universities in the US, India, Israel, and South korea, searching for pictures, passports, and other identifying information.[^1] Source netblocks and ASNs were registered to Iran.[^1] The tools used by the hackers produced warnings when the external IP address traced back to Iran.[^1] The infrastructure for Operation Cleaver was hosted through Netafraz.com.[^1]
The operation obtained private signing certificates of one victim that allowed the compromise of their entire organization.[^1] Operation cleaver compromised Active Directory domain controllers and credentials, and stole VPN credentials.[^1] The compromised Airports in South Korea, Saudi Arabia, and Pakistan allowed for complete access to airport gate security systems allowing the spoofing of gate credentials.[^1] The two main IP addresses were 78.109.194.114 in Iran an d159.253.114.209 in the Netherlands.[^1] The team behind operation cleaver relabeled some previously existing malware as their own.[^1]
The behavior of the development team was not professional, with likely one developer working on each project at a time.[^1] They used Mimikatz wrappers zhMimikatz, and MimikatzWrapper.[^1] Operation cleaver exfiltrated data to anonymous FTP servers in California and North Carolina using available command line utilities.[^1] Command and Control servers for the TinyZBot were located in the UK, Amsterdam, Seattle, and Rochester.[^1] Operation Cleaver used backdoors that disguised themselves as versions of Notepad.exe.[^1] Operation Cleaver used large blocks of AFRANET IP space inside Iran.[^1]
[[TinyZBot]] – custom bot code
[[Salman Ghazikhani]] – hacker name used throughout the campaign
[[Baham Mohebbi]] – hacker name used in the campaign
[[Kaj]] – hacker name used in the campaign
[[Parviz]] – hacker name used in the campaign
[[Nesha]] – offensive members of Operation Cleaver
[[Alireza]] – senior developer
[[Jimbp]]
[[Shell Creator 2]] – used in Operation Cleaver
[[Net Crawler]] – developed for Operation Cleaver
[[PrivEsc]] – copy of existing malware used in operation Cleaver
[[PVZ Bot Toolchain]]
[[CCProxy]] – used by operation cleaver
[[EasyResumeCreatorPro.com]] – Cleaver phishing site
[[Teledyne Resume Submitter]] – another phishing site
[[zhMimikatz]]
[[Jasus]]
[[zhCat]] – tool developed that is similar to NetCat
[[PLINK]] – used by Operation Cleaver
Backlinks
[[Active Directory]]
[[AFRANET]]
Autonomous System
[[CISCO Routers]]
[[Critical Infrastructure]]
[[Cyber “Living off the Land”]]
[[FTP]]
[[India]]
IP Addresses
[[Iranian Hacking]]
[[Isfahan]]
[[Israel]]
[[Netherlands]]
[[Pakistan]]
[[Sinkhole (Cyber)]]
[[South Korea]]
Tarh Andishan
[[United States]]
VPN
Sources
[1]Cylance_OperationCleaver