For the last 26 years I have watched the evolution of computing, the explosive growth of the Internet, and the near ubiquity of technology to every corner of the globe. At the same time, I’ve seen computer hacking evolve, from enthusiasts testing concepts for the first time, teenagers defacing websites to impress strangers on IRC, acts of advanced SCADA system destruction, and sophisticated espionage nation state hacks from the Chinese, Russians, and now the Iranians.
I’ve spent my career combatting those attackers. Starting with Hacking Exposed, I knew that if the people responsible for defending networks could understand the attacks and techniques that were being used against them, they could protect themselves. For years the status quo went undisturbed, companies got hacked, they would then figure out what vulnerability existed that they didn’t know about, fix it, and move on, after a couple weeks they would drop out of the news, and after months, they would go back to operating as normal.
I truly hope that this report disturbs that status quo.
No longer can companies afford to be so reactive with their information security practices. Protection isn’t about adversaries, threat intelligence, or emergency incident response services, it’s about having a competitive advantage over your attacker and making it prohibitively expensive to gain the upper hand on you.
In every breach that I’ve been part of over those 26 years, the techniques used by the attacker may have been creative but were not unknown, in fact very little has changed over the years in terms or real cyber munitions. Sure there’s new ways to use the same old techniques but quite disappointingly, nothing is new. In fact, in our latest report, Operation Cleaver, you can see multiple techniques that came straight out of my first Hacking Exposed book.
So why are attackers so successful at these attacks? Why are companies getting hacked the exact same way over and over again for some 26 years? The answer is simple: administrators don’t know their holes and certainly don’t know how to protect them from being exploited. Corporations are slow to adopt next generation security technologies that can actually prevent attacks. And I don’t exactly blame them. Years of inflated promises by security vendors, and a lack of motivated attackers made this attitude almost universal amongst enterprises worldwide, and it needs to change… Today.
The Operation Cleaver report documents how Iran is the first highly motivated Western world adversary poised to execute serious attacks against global infrastructure, not just targeting the United States, but the critical infrastructure of over a dozen different countries. They aren’t looking for credit cards or microchip designs, they are fortifying their hold on dozens of networks that if crippled would affect the lives of billions of people. Over two years ago the Iranians deployed the Shamoon malware on Saudi Aramco, the most destructive attack against a corporate network to date, digitally destroying three quarters of Aramco’s PCs. Such an attack is just the beginning, it serves as a proof of concept to prove that such large scale and devastating attacks are not only possible but impending.
Over the last two years, we have watched the Iranians successfully compromise over half of the 50+ targets we have had visibility into, achieving in some cases full compromise over not just servers and workstations, but network infrastructure and administrator credentials. While to date Cylance has yet to see Operation Cleaver result in loss of life or disruption of critical services, with the history of this group I see that as a likely consequence of these attacks.
This foreseeable result of Operation Cleaver has compelled us to publicly disclose much of Cylance’s intelligence on Operation Cleaver (#OpCleaver) to date. With the intention that the cyber defenders of the world can get a leg up on their attackers for once, before any serious harm can be done.
As additional data is gathered we will continue to make updates to the report and make them publicly available.