Who are the hackers claiming to have started a fire in Iran?


The steelworks just before the fire

It is extremely rare for hackers operating in the digital world to wreak havoc in the physical world.

But a cyberattack on a steelmaker in Iran two weeks ago is seen as one of those significant and troubling moments.

A hacking group called Predatory Sparrow said they were behind the attack that caused a major fire and released video to back up their story.

The video appears to be CCTV footage of the incident, showing factory workers exiting part of the facility before a machine begins spewing molten steel and fire. The video ends with people pouring water on the fire with hoses.

In another video that has surfaced online, factory workers can be heard yelling for the fire department to be called and describing damage to equipment.

Predatory Sparrow, also known by its Persian name Gonjeshke Darande, says it was one of three attacks it carried out on June 27 in response to unspecified “acts of aggression” by the Islamic Republic against Iranian steelmakers.

The group has also started sharing gigabytes of data it allegedly stole from the companies, including confidential emails.

On his Telegram page, Predatory Sparrow wrote: “These companies are subject to international sanctions and are continuing to operate despite the restrictions. These cyber attacks are carefully carried out to protect innocent people.”

That last sentence got the cybersecurity world to sit up and take notice.

The hackers clearly knew they might be putting lives at risk, but it seems they went to great lengths to ensure the factory floor was empty before launching their attack – and they were equally anxious to make sure everyone knew how careful they were.

This has led many to question whether the Predatory Sparrow is a professional and tightly regulated team of government-sponsored military hackers, who may even be required to conduct risk assessments before launching an operation.

“They claim to be a group of hacktivists, but given their sophistication and massive influence, we believe the group is either run or sponsored by a nation state,” said Itay Cohen, director of cyber research at Check Point Software.

predatory sparrow

Predatory Sparrow has a Telegram channel, a Twitter account, and even a logo

Iran has been the victim of a recent spate of cyber attacks that have had real-world impact, but not as severe as this one.

“If it turns out to be a state-sponsored cyberattack that causes physical — or in war studies jargon, ‘kinetic’ damage — it could be of enormous significance,” says Emily Taylor, editor of Cyber ​​Policy Journal.

“In the past, the 2010 Stuxnet attack on Iran’s uranium enrichment facilities has been highlighted as one of the few – if not the only known – example of a cyberattack that caused physical damage.”

Stuxnet was a computer virus, first discovered in 2010, that damaged or destroyed centrifuges at Iran’s Natanz uranium enrichment facility and disrupted Iran’s nuclear program.

Since then, there have been very few confirmed cases of property damage.

A handout from the Iranian government showing work at the Natanz nuclear facility

Natanz is heavily protected, with its most sensitive machinery housed deep underground

Perhaps the only one came to Germany in 2014. Germany’s cyber agency’s annual report found that a cyber attack caused “massive damage” at a steel mill and prompted an emergency shutdown, but never gave further details.

There have been other cyber attacks that could have done serious damage but were unsuccessful. For example, hackers have tried but failed to insert chemicals into water supplies by taking control of water treatment plants.

It is more common for cyberattacks to cause disruption – for example in transport networks – without causing real physical damage.

Emily Taylor says it’s a significant difference because if a state is shown to have caused physical harm to Iran’s steel mill, it may have violated international laws prohibiting the use of force and provided Iran with legal grounds to retaliate .

So if Predatory Sparrow is a state-sponsored military hacking group, which country does it represent? Its name, a play on the name of the Iranian cyber-warfare group Charming Kitten, may indicate that it is a country with a keen interest in Iran.

It is widely believed that the Stuxnet attack was carried out by Israel with US support. And this time, the murmurs linking the Predatory Sparrow attack to Israel were loud enough to provoke a response from the Israeli government.

According to Israeli media reports, Defense Secretary Benny Gantz has ordered an investigation into leaks that led Israeli journalists to strongly suggest Israel was behind the hack.

The minister is reportedly concerned that Israel’s “policy of ambivalence” may have been broken in its operations against Iran.

“If this cyber attack is state-sponsored, then of course Israel is the prime suspect. Iran and Israel are engaged in a cyber war and both states officially recognize this,” says Ersin Camututoglu of the Center for Iranian Studies in Ankara.

“Both states are organizing cyber attacks on each other through their intelligence agencies and everything has escalated since 2020 when Israel retaliated after Iran launched a failed cyber attack on Israeli water infrastructure systems and attempted to disrupt chlorine levels.”

Iranian street sign hijacked by hackers

Robber Sparrow hijacked street signs to spread chaos in Iran

Last October, Predatory Sparrow took responsibility for taking Iran’s national gas station payment system offline. The group also said they were behind a hack that hijacked digital billboards on streets and tricked them into displaying a message that read, “Khamenei, where’s our fuel?” – a nod to the country’s supreme leader, Ayatollah Ali Khamenei.

Again, the hackers showed a degree of responsibility by warning Iran’s emergency services in advance of the potential chaos that could ensue.

Check Point researchers say they also found code in the malicious software used by Predatory Sparrow that matches code used by another group called Indra, which hacked Iranian train station displays last July.

According to Iranian news reports, hackers posted information boards at train stations across the country that trains were canceled or delayed and urged passengers to call the supreme guide.

But experts say the attack on the steel mill is a sign the stakes are getting higher.

Hacked train ads in Iran

In August 2021, displays in train stations were hacked, causing confusion for train users

According to the CEO of the Mobarakeh Steel Company, where the fire appears to have occurred, the plant’s operations were unaffected by the attack and no one was injured. The other two companies affected also said they had had no problems.

Narim Gharib, a UK-based Iranian opposition activist and independent cyberespionage investigator, is convinced the video is genuine. He notes that two other videos of the fire were also posted to Twitter.

“The attack was real when workers recorded video from a different angle and we saw a statement on a company’s Telegram channel about shutting down the production line, which was later denied.”

He fears that a threshold has now been crossed.

“If Israel is behind these attacks, I think they show that they can cause real damage, rather than just disrupting a service. It shows how things can escalate quickly.”


About Author

Comments are closed.