While still unsure if North Korea is involved with the cyberattacks that have devastated Sony Pictures Entertainment, the Federal Bureau of Investigation is sure that a group of Iranian hackers pose a significant threat to businesses in the United States.
Dubbed "Operation Cleaver," a group of hackers from Iran has been accused of hacking into the servers of the U.S. Navy and also is believed to be responsible for orchestrating breaches into some of the world's leading organizations.
Reuters says it was able to review confidential documents from the FBI, which contained technical information about the malware Operation Cleaver is believed to be using. The FBI has warned businesses to stay vigilant and to report any suspicious activity spotted on the companies' computer systems.
The FBI's report connects an IP address in Iran to the Operation Cleaver attacks. The Iranian government, however, has asserted that it is in no way involved with the ring of hackers.
Stuart McClure, Cylance computer security service founder and CEO, has stated his belief that Operation Cleaver's actions are those of a state-sponsored group. Cylance's 86-page report on Operation Cleaver documents how Iran has emerged as the first adversary of the Western world that is motivated enough and capable of inflicting serious damage on multiple countries around the world, including the U.S.
"They aren't looking for credit cards or microchip designs, they are fortifying their hold on dozens of networks that, if crippled, would affect the lives of billions of people," stated McClure back on Dec. 2. "Over two years ago the Iranians deployed the Shamoon malware on Saudi Aramco, the most destructive attack against a corporate network to date, digitally destroying three-quarters of Aramco's PCs."
It's still unclear the full-scale abilities of Operation Cleaver, as Cylance says its has only been able to collect samples from the ring sporadically. The Active Directory worm Net Crawler, also known as NetC, is one of the tools Operation Cleaver has been known to use, according to Cylance.
NetC buries itself in SmartAssembly, a tool commonly used by businesses, and then it extracts credentials when it is deployed. From there, the worm propagates itself through systems networked to the compromised computers and lifts more credentials.
The advisory the FBI has issued to U.S. businesses echoes the sentiments of McClure's series of posts about Operation Cleaver and the threat it poses to organizations of all sizes. Corporations have been slow to adapt the latest in security technologies, but this threat needs to be taken seriously, according to McClure.
"[I] don't exactly blame them," says McClure of organizations hesitant to adopt new security tools. "Years of inflated promises by security vendors and a lack of motivated attackers made this attitude almost universal among enterprises worldwide, and it needs to change... Today."