Press Release

Cylance's 'Operation Cleaver' Report Exposes Coordinated Cyber Attacks on Global Critical Infrastructure by Iran-Based Hackers

Press + Media Contact
Cylance PR Team
Cylance Inc.

More than 50 Companies, Facilities, and Organizations Across 15 Industries Worldwide Infiltrated in Two Year Campaign Report Discloses the Advancement of Iranian Hackers in Targeting Global Critical Infrastructure

Irvine, CA -- (December 2, 2014)  – Cylance, the first math-based advanced threat detection and prevention cybersecurity company, today released a report detailing coordinated attacks by hackers with ties to Iran on more than 50 targets in 16 countries around the globe. Victim organizations were found in a variety of critical industries, with most attacks on airlines and airports, energy, oil and gas, telecommunications companies, government agencies and universities.

The report – titled “Operation Cleaver” because the Cleaver name was included several times in the custom software used in the cyber hacks – covers more than two years of attacks by individual contractors and a hacking team fronting as a construction engineering company based in Tehran. Through custom and publicly available tools that use, among other methods, SQL Injection, spear phishing, and water holing attacks, the group was able to extract highly sensitive and confidential materials and compromise networks with persistent presence to such a severity that they have control over networks of victims in 16 countries. Cylance found significant victims in Canada, China, England, France, Germany, India, Israel, Kuwait, Mexico, Pakistan, Qatar, Saudi Arabia, South Korea, Turkey, United Arab Emirates and the United States.

“We discovered the scope and damage of these operations during investigations of what we thought were separate cases,” said Stuart McClure, CEO of Cylance. “Due to the choice of critical infrastructure victims and the Iranian team’s quickly improving skillset, we are compelled to publish this report. By exposing our intelligence on Cleaver, we hope the information we share can reveal the techniques and tools of this group, drawing global attention to attacks on critical infrastructure and preventing attacks which could endanger human lives.”

The attackers extracted large amounts of data, including swaths of sensitive employee information and schedule details; identification photos; information about airport and airline security; and PDFs of network, housing, telecom, and electricity diagrams suggesting the attacks may have other motives than financial or intellectual property. The targets belong to one of five groups:

Oil and Gas/Energy/Chemical – Targets discovered include a company specializing in natural gas production, electric utilities organizations, as well as a variety of oil and gas providers. This group was a particular focus of the hackers.

Government/Defense – Targets discovered include a large defense contractor and major U.S. military installation. Cylance can confirm one of those targets was San Diego’s Navy Marine Corp Intranet, where unclassified computers were hacked.

Airports/Transportation – Targets discovered include airports, major airlines, an automobile manufacturer, as well as transportation networks. The most concerning evidence collected was the targeting and compromise of transportation networks and systems such as airlines and airports in South Korea, Saudi Arabia and Pakistan.

Telecommunications/Technology – Targets discovered include telecom and technology companies in several countries.

Education/Healthcare – Targets discovered include multiple colleges and universities, often with an emphasis on medical schools. Large amounts of data on foreign students have been taken, including images of passports and social security cards.

Cylance discovered these coordinated attacks when it was contracted to investigate multiple security breaches across a variety of organizations. Through its fundamentally new approach of applying math and machine learning to cybersecurity, Cylance uncovered previously undetected malware and attacks tied to the hacker team. Cylance is committed to responsible disclosure, and has notified all known victims discovered during its investigation, prior to the publishing of this report.

The full report with details on the sources and techniques can be accessed

About Cylance® Inc.

Cylance is the only company to offer a preventive cybersecurity solution that stops advanced threats and malware at the most vulnerable point: the endpoint. Applying a revolutionary artificial intelligence approach, the Cylance endpoint security solution, CylancePROTECT®, analyzes the DNA of code prior to its execution on the endpoint to find and prevent threats others can’t, while using a fraction of the system resources associated with endpoint antivirus and detect and respond solutions that are deployed in enterprises today. For more information visit:


Cylance and CylancePROTECT are registered trademarks or trademarks owned by Cylance Inc. in the United States and other jurisdictions and may not be used without prior written permission. All other trademarks are the property of their respective owners.


We use cookies to provide you a relevant user experience, analyze our traffic, and provide social media features. Read More