For more than two years, pro-Iranian hackers have penetrated some of the world's most sensitive computer networks, including those operated by a US-based airline, auto maker, natural gas producer, defense contractor, and military installation, security researchers said.

In many cases, "Operation Cleaver," as the sustained hacking campaign is being dubbed, has attained the highest levels of system access of targets located in 16 countries total, according to a report published Tuesday by security firm Cylance. Compromised systems in the ongoing attacks include Active Directory domain controllers that store employee login credentials, servers running Microsoft Windows and Linux, routers, switches, and virtual private networks. With more than 50 victims that include airports, hospitals, telecommunications providers, chemical companies, and governments, the Iranian-backed hackers are reported to have extraordinary control over much of the world's critical infrastructure. Cylance researchers wrote:

Perhaps the most bone-chilling evidence we collected in this campaign was the targeting and compromise of transportation networks and systems such as airlines and airports in South Korea, Saudi Arabia and Pakistan. The level of access seemed ubiquitous: Active Directory domains were fully compromised, along with entire Cisco Edge switches, routers, and internal networking infrastructure. Fully compromised VPN credentials meant their entire remote access infrastructure and supply chain was under the control of the Cleaver team, allowing permanent persistence under compromised credentials. They achieved complete access to airport gates and their security control systems, potentially allowing them to spoof gate credentials. They gained access to PayPal and Go Daddy credentials allowing them to make fraudulent purchases and allow[ing] unfettered access to the victim’s domains. We were witnessed [sic] a shocking amount of access into the deepest parts of these companies and the airports in which they operate.

Tuesday's 86-page report relies on circumstantial evidence to arrive at the conclusion that the 20 or more hackers participating in Operation Cleaver are backed by Iran's government. Members take Persian handles such as Salman Ghazikhani and Bahman Mohebbi; they work from numerous Internet domains, IP addresses, and autonomous system numbers registered in Iran; and many of the custom-configured hacking tools they use issue warnings when their external IP addresses trace back to the Middle Eastern country. The infrastructure supporting the vast campaign is too sprawling to be the work of a lone individual or small group; it could only have been sponsored by a nation state.

Avenging Stuxnet

The disclosure of Operation Cleaver comes 28 months after highly destructive malware known as Shamoon permanently destroyed data on more than 30,000 computers belonging to Saudi Aramco and RasGas, two large natural gas producers located in Saudi Arabia and Qatar respectively. Around that same time, a series of extremely disruptive denial-of-service attacks knocked out access to major US banks . A year earlier, in August 2011, hackers penetrated the Dutch certificate authority DigiNotar and made off with digital certificates for Gmail and other high-profile sites . Some security researchers have said that Iran was behind all three hacks as part of an effort to retaliate for Stuxnet Duqu , and Flame , malware campaigns widely believed to have been orchestrated by the US and Israel to monitor and disrupt Iran's nuclear programs.

"Iran's cyber sophistication has grown rapidly since the dawn of Stuxnet and they have used hard dollars combined with national pride to help build their cyber army," the Cylance report stated. "Few doubt their commitment as a government and nation state to funding and recruiting cyber warriors to infiltrate and damage their enemies. And it has been commonly postulated that almost all activity since 2010 coming out of Iran is associated with retaliation for Stuxnet/Duqu/Flame, which seems natural given the severity of the impact."

Most of the Operation Cleaver attacks detected by Cylance began with small incursions into a target system, using techniques such as SQL injection exploits to pipe commands into the back-end server of a website. From there, the hackers elevated their access by targeting unpatched vulnerabilities such as MS08-067. The attackers would then install a battery of customized tools on the servers that gave the attackers a variety of capabilities. In at least one case, a target's private signing certificates were captured, allowing the team to compromise the rest of the target's infrastructure. Unlike Stuxnet, there's no evidence any zero-day vulnerabilities were exploited.

Over the past two years, Cylance has collected more than eight gigabytes of data connected to the campaign, including 80,000 files of captured data, hacker tools, victim logs, and highly sensitive reconnaissance data. The researchers retrieved the data by using the Internet's domain name system to divert traffic traveling between compromised systems and the attackers' command and control servers, a process known as "sink holing."

Only a fraction detected

In all, 50 targets in 16 countries are known to have been compromised. The tally includes 10 victims in the US, four in Israel, and five in Pakistan. Groups in the UK, France, Germany, and numerous Middle Eastern countries were also hit. The Cylance report includes in-depth technical details to help system administrators determine if their systems were compromised.

Cylance researchers said they believe they detected only a fraction of the targets penetrated by Operation Cleaver. With more than two years it has been active, they warned time may be running out.

"We believe that if the operation is left to continue unabated, it is only a matter of time before the world’s physical safety is impacted by it," they wrote. "While the disclosure of this information will be a detriment to our ability to track the activity of this group, it will allow the security industry as a whole to defend against this threat. As such, we are exposing this cyber campaign early in an attempt to minimize additional real-world impact and prevent further victimization."