Tit-for-Tat cyber warfare

Over the next few years, the Iranians would not simply sit idly by and take a position of non-response to the Stuxnet attacks. They quickly upped their cyber operations game and responded in kind. In 2012, Operation Cleaver, the Iranian response to Stuxnet, was launched. The targets for the operators of Cleaver included militaries, oil and gas, energy and utilities, transportation, airlines, airports, hospitals, telecommunications, technology, education, aerospace, Defense Industrial Base (DIB), chemical companies, and governments. Other cyber-attacks had been launched in retaliation for the Stuxnet attacks, namely Shamoon and Operation Ababil. These attacks were targeted at the US banking systems and Saudi Arabian oil operations. Those attacks were significant but did not result in much other than a financial hit on the banks that were targeted and the oil facilities' abilities to ship oil.

Operation Cleaver was a direct response to the Stuxnet attack, but it was not entirely the same in its actions. Where Stuxnet was focused on causing physical damage in a relatively short timeframe on the Iranian nuclear centrifuges, Cleaver was more of a long-term ploy. Operation Cleaver was grander in scale in that it targeted essentially any "low-hanging fruit" that might contain intellectual property or data that could be used to gain an economic advantage in trading by the Iranians. Everything from the US Navy/Marine Corps Intranet, known as NMCI, critical infrastructure providers, and airline operations groups to educational organizations was hit.

The Iranian malware that was used showed that they had learned lessons in malware construction and design thanks to their post-attack analysis on the Stuxnet tools. The Operation Cleaver malware attacked systems in similar veins to Stuxnet. Cleaver malware would find a vulnerable target, conduct an exploit, worm deeper into the network, and then use command and control infrastructure to funnel data out of the compromised environment.

Just as Stuxnet had packaged its exploits and leveraged the network itself to find its ultimate target, so too did Cleaver. However, where Stuxnet was an elegant clandestine piece of malware, a digital scalpel, the tooling for Cleaver was an overt packaging of open exploits that hammered away at systems and did little to conceal its tracks, a sledgehammer. Ordinary cyber security providers were able to gather instances of Cleaver malware samples and find highly evident domains and sites that were openly registered to Iranian affiliated organizations. Many analysts, as well as the US and Allied government officials, noted after the Cleaver attacks that the reasons this malware campaign was not more subtle was that it was a show of force by the Iranians.