Stuxnet‘s attack on Iran’s uranium enrichment facilities manifested fears of cyberattacks leaking into the real world. What once was theory is now upon us.
Two weeks ago, multiple Iranian steel facilities experienced a cyberattack that might have been pulled off by what many cybersecurity experts in the field believe is “a professional and tightly regulated team of state-sponsored military hackers, who may even be obliged to carry out risk assessments before they launch an operation.”
The group who claimed responsibility for the attack goes by the nom de hack Predatory Sparrow.
The victim organizations are the Khouzestan Steel Company (KSC), Mobarakeh Steel Company (MSC), and Hormozgan Steel Company (HOSCO).
Some say Predatory Sparrow’s name is a play on “Charming Kitten”, the name of the notorious Iranian APT (advanced persistent threat) group. Although Predatory Sparrow has its own social media accounts, these are not searchable under the English nom but under its Persian equivalent, Gonjeshke Darande.
The attackers caused the foundry to spew hot molten steel and fire onto the factory floor, but not until workers had already cleared the area, unbeknownst of what was about to happen. The timing of the group’s attack is deliberate.
A video captured during one of these attacks was shared on its social platforms as proof. It already has 200,000 views.
“Today, 27/06/2022, we, ‘Gonjeshke Darande’, carried out cyberattacks against Iran’s steel industry which affiliated [sic] with the IRGC and the Basij,” a caption within the video reads. “These companies are subject to international sanctions and continue their operations despite the restrictions.”
These cyberattacks, being carried out carefully so to protect innocent individuals, are in response to the aggression of the Islamic Republic.
The public office of the Iranian National Cyberspace Center confirmed the attacks, blaming the incidents on “foreign enemies.” The outcome triggered a temporary shutdown of facilities. The public office also claimed, “Security systems quickly took action to contain and repel the effects.”
According to sources close to the two organizations affected by the attack, the only reason severe damage wasn’t done to the production line was that they were switched off at night due to power supply restrictions. The attack “is understood” to have occurred between midnight and 6AM, Tehran time. Systems affected by the attack are the production and security systems.
At this point, no one knows whether Predatory Sparrow is a state-sponsored group. Is it just merely a group of hacktivists out to punish corporations they see are crossing the line?
“If this does turn out to be a state sponsored cyber-attack causing physical – or in the war studies jargon ‘kinetic’ damage – this could be hugely significant,” Emily Taylor, editor of the Cyber Policy Journal, told the BBC.
Ersin Cahmutoglu, a cybersecurity researcher from ADEO Cyber Security Services, also has a theory. “If this cyberattack is state-sponsored then of course Israel is the prime suspect. Iran and Israel are in a cyber-war, and officially both states acknowledge this.”
“Both states mutually organise cyberattacks through their intelligence services and everything has escalated since 2020 when retaliation came from Israel after Iran launched a failed cyberattack on Israeli water infrastructure systems and attempted to interfere with the chlorine level.”
UK-based Iranian activist and independent cyberespionage investigator Nariman Gharib also shared his thoughts: “If Israel is behind these attacks, I think they are showing that they can do real damage rather than just disrupting a service. It shows how things can quickly escalate.”
Last week, Predatory Sparrow leaked “top secret documents and tens of thousands of emails”, along with “trading practices” from the steel makers it attacked.
The post Predatory Sparrow massively disrupts steel factories while keeping workers safe appeared first on Malwarebytes Labs.