Iran-Backed Hackers Target Airports, Carriers: Report

Updated on
Cyber Attack
Cylance believes Operation Cleaver involves at least 20 hackers and the report outlines specialized tools it said they used, including a network of computers controlled by the hackers to process information or mount attacks, known as a botnet. Photographer: Patrick Lux/Getty Images

Hackers working for Iran have targeted at least 50 companies and government organizations, including commercial airlines, looking for vulnerabilities that could be used in physical attacks, cyber-security firm Cylance Inc. said today.

The hackers infiltrated the computer systems of carriers and their contractors in Pakistan, the United Arab Emirates and South Korea, the Irvine, California-based firm said in a report outlining the results of a two-year investigation. They broke into the computers of suppliers responsible for aircraft maintenance, cargo loading and refueling, according to the report and Cylance analysts, and stole credentials that could be used to impersonate workers.

In the U.S., computers belonging to chemical and energy companies, defense contractors, universities and transportation providers were hacked in what Cylance dubbed Operation Cleaver. The report said the Iranian group is the same one that breached the U.S. Navy’s unclassified computer system in September 2013.

The capabilities of Iranian cyberspies have advanced to the point that the country is quickly becoming a top-tier cyber power, according to the report. While the group Cylance followed appears to have been focused on intelligence gathering, the choice of targets raises security fears, the report said.

“If the operation is left to continue unabated, it is only a matter of time before they impact the world’s physical safety,” the report said.

Cylance said it provided the information it collected to the U.S. Federal Bureau of Investigation. The FBI is already looking into Iranian hacking, including the Navy breach, according to two people familiar with that probe.

Four Targets

Hamid Babaei, the spokesman for the Iranian mission to the United Nations in New York, denounced the report. “This is a baseless and unfounded allegation fabricated to tarnish the Iranian government image particularly aimed at hampering current nuclear talks,” Babaei said in an e-mail.

While Cylance didn’t identify the targets, a person familiar with the law-enforcement investigation said they include Pakistan International Airlines; Korean Air; Petroleos Mexicanos, the world’s ninth-largest oil producer; and Calpine Corp., a power company with generation facilities in California, Texas and the mid-Atlantic.

Muhammad Haneef Rana, a spokesman for Pakistan International Airlines, said he wasn’t aware of any threat from hackers. “We are well secured and our firewall is in place,” he said.

Pemex denied its data network has been violated, said a press official who asked not to be identified due to company policy. Korean Air declined to comment. Calpine didn’t immediately respond to a request for comment.

Joshua S. Campbell, a spokesman for the FBI, declined to comment on the report or its conclusions.

Breaching Systems

Cylance’s allegations of state-sponsored hacking are the latest in a string this year. Other security firms have accused Russians of breaching systems at the North Atlantic Treaty Organization, and the U.S. indicted five members of China’s military in absentia on charges of hacking U.S. companies.

The U.S. is also mounting vast cyber-espionage operations, with the National Security Agency’s efforts revealed in a series of leaks of classified information beginning last year.

“Russians are the most sophisticated and most capable outside the U.S. The Chinese bring to bear staggering numbers of people and computers. Iran is probably between those two,” said retired Admiral William Fallon, head of the U.S. Central Command until 2008. “They are pretty good and they are motivated.”

The Iranian hacking efforts are largely overseen by the Iranian Revolutionary Guard Corps, Fallon said.

Sweeping Operation

Iran has been building its cyber-capacity since a computer worm known as Stuxnet derailed work at a uranium processing facility at Natanz in 2010. That attack has been attributed in several media reports to a joint U.S.-Israel operation.

Cylance, founded by former McAfee Chief Technology Officer Stuart McClure, is a security-products firm that sells commercial technology designed to repel advanced cyberattacks. Its 87-page report is among the most detailed public evaluations of Iran’s cyber-espionage capabilities.

The firm drew on more than 80,000 files of stolen data and hacking tools that Cylance said it obtained from computers used by the hackers since at least 2012.

From that trove, the company’s analysts peeled back what they said was a sweeping spying operation that focused on the U.S. and Iran’s Persian Gulf rivals, as well as on Germany, China, England and Israel.

Universities and their financial aid and housing offices were targeted, suggesting the spies were interested in students, perhaps as potential recruits, the report said.

Operation Cleaver

Cylance believes Operation Cleaver involves at least 20 hackers and the report outlines specialized tools it said they used, including a network of computers controlled by the hackers to process information or mount attacks, known as a botnet.

The report provides a breakdown of the skills of particular hackers identified by their nicknames, a level of detail similar to that in a report last year by the security firm Mandiant on a crack Chinese military team known as Unit 61398.

Intelligence Priorities

The kinds of companies cited in the Cylance report provide a map of intelligence priorities. The targets are different from those of Russian hackers, who have recently zeroed in on the Ukraine conflict, oil markets and the global financial system, and Chinese hackers, who have focused on gaining commercial secrets, according to a series of investigations.

Any data collected about global air transportation networks could be passed to militants and insurgent groups allied with Tehran, according to Reuel Marc Gerecht, senior fellow at the Foundation for Defense of Democracies and former Middle East specialist at the CIA’s Directorate of Operations.

The fact that several targets were in South Korea may be the result of intelligence cooperation between Iran and North Korea, giving Iran something to trade, the report said.

Passport Photos

There may be reason for concern given the information the hackers sought to take, said McClure, Cylance’s chief executive officer. The report said they stole passport photos, employee credentials and data that could be used to impersonate workers and bypass airport security checkpoints.

They also accessed details about computer systems at major Middle Eastern airports, including Pakistan’s Jinnah International Airport in Karachi, McClure said. Armed Taliban militants disguised as security staff workers stormed the airport in June, killing more than 30 people. The report doesn’t link that to the hack but McClure said some information stolen was related to a gate where the attack began.

The Iranian hackers have also been tracked by iSight Partners, a Dallas-based security firm. The hackers -- which iSight calls Jafar, a reference to the name used to register some of the Internet domains used in the attacks -- have infiltrated systems controls at the Benazir Bhutto International Airport in Islamabad, the firm says. Airport officials weren’t immediately available for comment.

Nickname: ‘Parviz’

According to Cylance, two of the most productive of the Iranian cyberattackers included the nicknames “Parviz” and “Nesha” in their attack code and in the passwords used to get to stolen material. Other technical indicators link to Internet space belonging to a company in Tehran, according to the report.

“The Iranian regime uses a lot of contract native talent” to develop its offensive capacity, Gerecht said.

Cylance said its researchers took advantage of hackers’ mistakes to access some computers they used to organize their attacks, revealing dozens of targets and a large cache of stolen files. Cylance said the documents it obtained open only a modest window onto the group’s operations and that the total number of targets is likely larger.

The report paints a picture of a persistent, aggressive operation aimed at undermining vital components of nations’ transportation systems, and highlights the growing danger that state-sponsored hacking poses to civilian infrastructure.

“If you’ve gone from financial to oil and gas and you’re switching to avionics, you’re talking about the whole of critical infrastructure,” said Joe DeTrani, former senior adviser to the U.S. Director of National Intelligence and president of the Intelligence and National Security Alliance. “If one is looking at the battlespace, certainly the air, avionics and airports and related facilities would be part of the equation.”

Before it's here, it's on the Bloomberg Terminal. LEARN MORE