Tarh Andishan

In April 2010, a worm called Stuxnet, allegedly jointly developed by the United States and Israel, targeted Siemens industrial control systems (ICS) in developing nations such as Iran (~59%), Indonesia (~18%), and India (~8%). Stuxnet infection contained a programmable logic controller (PLC) rootkit designed to spy upon, subvert, and in some cases sabotage Siemens supervisory control and data acquisition (SCADA) systems that regulated specific industrial systems. In particular, Stuxnet variants were deployed by a nation state actor against Iranian industrial facilities associated with its nuclear program, such as uranium enrichment facilities. The Stuxnet infection was discovered three months later, but variants continued to compromise Iranian systems through 2012. Iran’s nuclear infrastructure and its oil and gas infrastructure was also targeted by the Duqu malware from 2009-2011, and the Flame malware in 2012. In response to adversarial cyber warfare campaigns, Iran began rapidly developing its cyber warfare infrastructure. In December 2014, Cylance exposed Iranian threat actor, Tarh Andishan in the white paper of their 2-year Operation Cleaver investigation.

Tarh Andishan was likely developed in response to the Stuxnet infection, Duqu, and Flame campaigns. Iran could be demonstrating to global targets that it is a major cyber warfare power, capable of competing with countries such as the United States, China, and Russia, on the global cyber landscape. Cylance released Operation Cleaver early to allow potential targets the opportunity to mitigate the threat to their systems, so they estimate that they only discovered a portion of the activity of Tarh Andishan. Nevertheless, Cylance managed to build an impressive profile of Tarh Andishan’s operation, including hacker profiles, domain names, internal infrastructure, and indicators of compromise.

STUXNETINFECTION