Operation Cleaver Iranian Hackers Breach Airport and Airline Security Systems
Hackers backed by the Iranian government are targeting airlines and airports around the world, putting millions of airline passengers at risk. Politikaner

A group of hackers based in Iran called Tarh Andishan, backed by the Iranian government, are carrying out a co-ordinated and sophisticated campaign of cyber-attacks against critical infrastructure organisations around the world, which could be putting the lives of millions of airline passengers in danger.

The on-going campaign has been dubbed Operation Cleaver and has been active since 2012. In that time, the Iranian hackers have compromised the systems of over 50 companies and organisations in sectors as varied as energy, military intelligence, aerospace, hospitals, and even universities.

However, it is the group's infiltration of commercial airlines and airports which could prove the most worrying aspect of Operation Cleaver.

Cylance, the security company which has been tracking the hackers, says in its 56-page report into the hacking campaign that "there is a possibility that this campaign could affect airline passenger safety".

Security systems at airports in Pakistan, Saudi Arabia and South Korea have all been compromised along with airlines in the US, United Arab Emirates, South Korea, Pakistan and Qatar. The group has also compromised the systems of companies in the aerospace industry in Israel and China.

"Bone-chilling evidence"

Cylance says the "most bone-chilling evidence" it collected in this campaign was the targeting and compromise of transportation networks and systems such as airlines and airports.

Operation Cleaver - Iran's state-sponsored hackers threaten airline passengers
Operation Cleaver is an on-going persistent attack by Iranian state-sponsored hackers which has infiltrated more than 50 global critical infrastructure companies in the last two years. Cylance

The hackers have gained "complete access" to airport security gates and their control systems, "potentially allowing them to spoof gate credentials" which will be of a huge worry to passengers and authorities alike.

Iranian state-sponsored hackers

Iran has been the victim of major cyber-attacks in recent years, most famously with Stuxnet in 2009 which targeted a nuclear enrichment plant in Natantz.

Following the discovery of Stuxnet (as well as Duqu and Flame) the Iranian government established a state-sponsored hacking group to carry out retaliation attacks.

The first major result of this was the Shamoon campaign which affected 30,000 computers at the Saudi Aramco and RasGas with huge financial implications.

This was followed by attacks on the US banking industry in 2012 (Operation Ababil) and against US officials in 2014 (Operation Newscaster).

"We witnessed a shocking amount of access into the deepest parts of these companies and the airports in which they operate," the report states.

The hackers were able to gain almost unfettered access to the systems of the companies with Active Directory domains fully compromised, along with switches, routers, and the internal networking infrastructure.

In parallel, the hackers have been targeting airlines, and according to the report, have breached both cyber and physical assets at major airline operators, including at least one large US airline.

"The end goal is not known"

While Cylance has been monitoring the hacker group for two years, it is still in the dark about much of its operations and goals, and that is why it has decided to publish what it knows now:

"We believe our visibility into this campaign represents only a fraction of Operation Cleaver's full scope. We believe that if the operation is left to continue unabated, it is only a matter of time before the world's physical safety is impacted by it."

"We are exposing this cyber-campaign early in an attempt to minimise additional real-world impact and prevent further victimisation."

The report concludes worryingly: "The end goal of this operation is not known at this time."

Iran has labelled the report "baseless and unfounded" believing it to be an attempt to tarnish the government and hamper the on-going nuclear talks.

Cylance CEO Stuart McClure however claims his company's report "refrained from exaggeration and embellishment" limiting itself to report "only that which can be definitively confirmed".