Operation Cleaver
An Iranian group quietly burrowed into airlines, energy companies, telecoms, and a US military contractor, mapping the kind of targets a state would want to keep a key to.
In December 2014, the security firm Cylance published a report on a multi-year intrusion campaign it called Operation Cleaver. The targets spanned more than fifty organizations across sixteen countries — airlines, oil and gas producers, transportation infrastructure, defense contractors, and at least one US military air-base contractor. The operators were Iranian.
A pivot from defense to offense
Cleaver was significant in part for what it implied about Iran's trajectory. Until then, public reporting on Iranian cyber activity had focused on incidents like Shamoon — destructive, retaliatory wipers. Cleaver described something else: long-term, patient access into systems whose operational details would be useful in a future crisis.
The report named individual operators by handle, traced infrastructure back to a Tehran-based contractor, and presented a body of forensic evidence that defined a new tier of Iranian capability. The targets' profile — particularly the airline and air-base inclusions — suggested an intent to maintain footholds in physical-world systems, not just steal documents.
The downstream chain
Several of the actors named in Cleaver reappeared in subsequent indictments and reporting under different group labels (APT33, APT34, others). The campaign's existence helped reshape Western government posture toward Iran in cyberspace, accelerated information sharing on Iranian tradecraft, and influenced how energy operators across the Gulf approached their own network monitoring.
What the chronicle remembers
Cleaver moved Iran from a state with destructive cyber capability to a state with peer-tier persistent access capability in the analyst imagination. The shift mattered. Subsequent regional incidents — and several US sanctions packages — were framed against the Cleaver baseline.