Skip Navigation
Get a Demo
Resources Blog Threat detection

“Operation Cleaver” Blade Dulled

Phil Hagen
Originally published . Last modified .
operation cleaver target map
“Operation Cleaver” targets, from Cylance report

“Operation Cleaver” is an attack campaign Cylance details in a new report.  They contend an Iran-based attack group has compromised hundreds of targets in multiple countries and industries.  Regardless of the claims of attribution, the message is clear: well-financed, strategically focused attack groups continue to digitally plunder their targets.  As a community, our decades-old approach to network and information security simply isn’t working.  Attackers trivially thwart million-dollar defensive platforms by simply re-configuring their technology.

Red Canary does things differently.  Our clients already have full awareness when the current generation of tools in the “Operation Cleaver” toolbox execute, without relying solely on outdated methods like file and network signatures.  Instead, our technology behaviorally profiles endpoint observations and flags suspicious events based on their core characteristics.  These characteristics include how the process was initiated, its underlying capabilities, and more.  Flagged events are enriched with traditional intelligence signatures before our team of human threat analysts vets each and every one.  Events that are validated as true threats result in a timely detection notification with all indicators of compromise the client needs to fully remediate the threat and scope their environment for additional sources of concern.

Since Red Canary uses endpoint behavioral detection enriched with intelligence and and traditional indicators, our clients continue to receive best-of-breed detection even when the “Operation Cleaver” attack group inevitably changes their infrastructure, malware, and other traditionally observable signatures.

Plus, we’re also looking for hundreds of other behaviors combined with thousands of intelligence indicators that will help flag the next attack group or operation long before a report is published.  There is no chance of attack groups becoming less sophisticated as time goes on – why should your information security posture rely on the same means of detection?


How adversaries use Entra ID service principals in business email compromise schemes


MSIX and other tricks: How to detect malicious installer packages


The detection engineer’s guide to Linux


The Trainman’s Guide to overlooked entry points in Microsoft Azure

Subscribe to our blog

Back to Top