# Iran's Operation CLEAVER in Action This is the attack plan used by the Iranian cyber team that hit Saudi's networks. The link is via @daveaitel, https://wikileaks.org/saudi-cables/doc129906.html The interesting thing is that they get the target to install a tool to infect him with malware. You don't need 0day if your target downloads and runs an app from a link you supply. Clever to use a MICE approach too, "Get more money and a better job here! Just download and run this tool!" -- @thegrugq  Source and chronology of incident: o Social engineering activities took place to gather data about the targeted system admin(suspected to be through available info on his LinkedIn profile) [ 4.4 LinkedIn Profile] o A targeted email was sent to MOFA's system admin on 14th July 2014 offering a job opportunity that meets his qualifications. [4.5 Job Offer – 14th July, 2014 ] o The email had a link to download a résumé creation suite (EasyResumeCreatorPro) that submit résumés to the fake employer Teledyne. [4.6 Submitting CV – 21st July 2014] o The targeted user was duped into submitting personal information that was captured by the malware [4.7Capture Credentials – 21st July 2014] . o While the user enters this information, his machine was infected with TinyZBot malware. o The domain teledyne-jobs.com was registered by davejsmith200@outlook.com on 20th July, 2014 (the day the email was sent to MOFA's admin). The last update on the website was on 2nd December, 2014 (The same day the Operation Cleaver report was released by Cylance). o Forensics evidences showed that the targeted user updated his resume on 22nd July 2014 indicating the interest to submit it to the fake employer. [4.8 Updating CV – 22nd July 2014] o Access to MOFA's network is suspected to be carried out using anonymous FTP and SOAP (checkupdate.asmx) to suspicious servers. [ 4.9 FTP Connection - 25th July 2014] o Remote Access to MOFA's environment through VPN portal using the compromised user account was detected since 25th July 2014 [ 4.10 Remote Connection [VPN] - 25th July 2014]