Introduction
Cleaver is a threat group that has been attributed to Iranian actors and is responsible for activity tracked as Operation Cleaver. Cylance Cleaver Strong circumstantial evidence suggests Cleaver is linked to Threat Group 2889 (TG-2889). Dell Threat Group 2889
Activities and Tactics
Targeted Sectors: Defense, Energy, Technology, Government, Administration, Academia - University, Private sector, Government, Chemical, Engineering, Finance, Telecoms, Other, Civil society
Country of Origin: ๐ฎ๐ท Iran
Risk Level: High
First Seen: 2014
Last Activity: 2014
Incident Type: Espionage
Suspected Victims: Canada, France, Israel, Mexico, Saudi Arabia, China, Germany, United States, Pakistan, South Koreaโฆ
Notable Campaigns
Information pending cataloguing.
Tactics, Techniques, and Procedures (TTPs)
- T1003.001 LSASS Memory
- T1557.002 ARP Cache Poisoning
- T1588.002 Tool
- T1587.001 Malware
- T1585.001 Social Media Accounts
ATT&CK technique IDs (denormalized)
Notable Indicators of Compromise (IOCs)
No atomic indicators are listed in this profile. The APTnotes snapshot indexes 1 public reports that may contain IOCs; see Source Attribution for dataset links.
Malware and Tools
- CyberGate
- Arabian-Attacker RAT
- Cyber Eye RAT
- Xploit
MITRE ATT&CK Software
- Net Crawler (S0056) โ malware
- PsExec (S0029) โ tool
- TinyZBot (S0004) โ malware
- Mimikatz (S0002) โ tool
Attribution and Evidence
Country of Origin: Iran Additional attribution information pending cataloguing.
References
[1] mitre-attack [5] Cylance Cleaver Cylance. (2014, December). Operation Cleaver. Retrieved September 14, 2017. [6] Dell Threat Group 2889 Dell SecureWorks. (2015, October 7). Suspected Iran-Based Hacker Group Creates Network of Fake LinkedIn Profiles. Retrieved January 14, 2016.