One of Iran’s largest steel companies, Khuzestan Steel Company, was hit by a massive cyberattack on Tuesday, bringing the industry to a grinding halt.
It is unknown what the full extent of the impact could be on Iran’s economy, and even military or nuclear industries, as Tehran prepares to return to nuclear talks with the world powers.
The hacktivist group, Predatory Sparrow, who is still little known and who took credit for a major October 2021 hack of the country’s gas stations, took credit for the attack.
Tel Aviv University cyber expert Omree Wechsler said as part of the university’s Cyber Week that the hack was noteworthy because the nature of the large industrial systems in play would likely have required intelligence penetration of the facilities, and potentially also physically.
In this case, there could be some connection between Predatory Sparrow, or whoever else might have carried out the hack, and a nation state with a powerful intelligence agency – such as, for example, the Mossad.
Check Point has speculated that some anti-Iran hacktivist groups may get assistance from nation states, and besides Israel, the Islamic Republic could also be under cyberattack by the US, the Saudis, the UAE and others with significant cyber capabilities.
That said, other groups besides the Mossad, including Indra, anti-regime Iranian dissidents, have been responsible for other major attacks.
Previous large cyberattacks
Although Iranian official claimed that the attack had failed, steel facilities were shut down for an unknown period, such that Iran’s assertions were either likely false or were referring to it having avoided the possibility that the facilities could have been more substantially damaged.
On October 26, 2021, there was a sudden outage at every single one of Iran’s 4,300 gas stations nationwide.
The cyberattack shut down a networked system which provided Iranians across the country with government-issued cards access to buy fuel at subsidized prices.
Instead of purchasing their subsidized gas, card users who tried to do so were sent the message “cyberattack 64411.” This was the phone number for the hotline run by Iran Supreme Leader Ayatollah Ali Khamenei’s office.
Predatory Sparrow said it carried out the hack in response, “to the cyber actions by Tehran’s terrorist regime against the people in the region and around the world,” in a Telegram post.
“We are still unable to say forensically, but analytically I believe it was carried out by the Zionist regime, the Americans and their agents.”
Head of Irans Civil Defense Organization Brigadier General Gholamreza Jalali
In contrast, Brigadier General Gholamreza Jalali, the head of Iran’s Civil Defense Organization said, “We are still unable to say forensically, but analytically I believe it was carried out by the Zionist regime, the Americans and their agents.”
This analysis is boosted by evidence that the hack had multiple goals beyond the tensions it created between the regime and the public.
Iranian officials saw that the hackers may have accessed data on its global oil sales. Put differently, the cyberattackers may have seized a closely-held state secret about exactly how Iran evades international sanctions.
This crucial data is saved on the ministry’s computer servers, which is a system which is air-gapped, meaning it is not connected to the internet. So Iran was suspicious not only that Israel was the hacker, but that it had assets inside the Oil Ministry.