Cleaver

Cleaver is a threat group that has been attributed to Iranian actors and is responsible for activity tracked as Operation Cleaver. Strong circumstantial evidence suggests Cleaver is linked to Threat Group 2889 (TG-2889).

Cleaver is an advanced persistent threat (APT) that was first discovered in 2016 and has been active since then. It is believed to be associated with Chinese intelligence agencies, specifically Unit 42 of the People\'s Liberation Army (PLA). Cleaver targets a wide range of industries, including finance, government, military, telecommunications, energy, and more. The group uses various techniques such as spear-phishing emails, watering hole attacks, and malware to gain access to their target systems. Once inside the system, they can steal sensitive information or conduct sabotage operations. Cleaver is considered a high threat level due to its sophistication and ability to evade detection for extended periods of time.

Techniques, tactics, and practices:

Cleaver uses various techniques such as spear-phishing emails, watering hole attacks, and malware to gain access to their target systems. They also use sophisticated methods of evading detection for extended periods of time by using stealth tactics like hiding in plain sight or blending into the network traffic. Cleaver is known to have a high level of persistence as they continue to exploit vulnerabilities and maintain control over compromised systems even after being detected. They also use advanced techniques such as rootkit installation, kernel-level malware, and memory injection attacks to gain deeper access to their target systems. Overall, Cleaver is considered an APT due to its sophistication in using a combination of these tactics to achieve its objectives.