Predatory Sparrow operation against Iranian steel maker (2022)

From International cyber law: interactive toolkit
Jump to navigation Jump to search
Date 27 June 2022,[1] between midnight and 6 am IRST.[2]
Suspected actor A hacking group called Predatory Sparrow (in Persian Gonjeshke Darande) claimed the responsibility for the cyber operation.[1] There is a suspicion that this group might be operated or sponsored by a nation state[1] because it declared it carried out the operation carefully to protect innocent individuals and it also warned Iran's emergency services in advance. A possible suspect could be Israel,[3] an investigation of such claims has been launched by Israeli Defense Ministry.[4]

The operation is also examined in context with previous operations against Iran attributed to Predatory Sparrow (taking Iran's national fuel station payment system offline in October 2021[5] and the hacking of Iranian train stations in July 2021[6]) and failed attempt to raise chlorine in Israel’s water supply to dangerous levels.[7] However, other countries such as United States,[8] Saudi Arabia or UAE can also be considered, according to Check Point Software.[9]

Target Iranian companies Khouzestan Steel Company (KSC), Mobarakeh Steel Company (MSC), and Hormozgan Steel Company (HOSCO) were targeted.[10] All three of the companies are state-owned.[11]
Target systems As regards MSC and HOSCO, no significant damage has been reported. As regards KSC, an industrial machine was caused to seriously malfunction, vomiting fire and molten steel across the factory floor.[12][13] Allegedly, data containing top secret documents and tens of thousands of emails from these companies on their customers and trading practices as evidence of these companies’ affiliation with the IRGC was exfiltrated.[14]
Method On its Telegram page Predatory Sparrow posted that the cyber operation was carried out carefully to protect innocent individuals; the group also warned Iran's emergency services in advance.[1] Check Point Software researchers have pointed out the sophistication of the operation and they have also found code in the malicious software used by Predatory Sparrow in this cyber operation that matches code used in the hacking of Iranian train stations in July 2021.[15] According to Certfa Lab, a nonprofit cybersecurity and privacy group, hackers may have gained access through a vulnerability in third-party software and not through a direct cyber operation against the steel manufacturer's infrastructure.[16] Tel Aviv University expert Omree Wechsler claims that the hack was noteworthy because the nature of the large industrial systems in play would likely have required intelligence penetration of the facilities, and potentially also physically.[17]

The hacking group also published a video of the incident, showing factory workers leaving part of the plant before a machine starts spewing molten steel and fire. The video ends with people pouring water on the fire with hoses.[1]

Purpose The companies were allegedly targeted because they are subject to international sanctions[18] and continue their operations despite these restrictions, Predatory Sparrow also declared that the attacks were carried out in response to unspecified acts of aggression done by the Islamic Republic.[1] Data allegedly containing corporate documents revealing the companies’ affiliation with the Islamic Revolutionary Guard Corps was stolen, a part of the data was published (and the rest should follow in the future).[14]
Result An industrial machine was caused to seriously malfunction, vomiting fire and molten steel across the factory floor.[15] Data which is supposed to contain top secret documents and tens of thousands of emails from the companies on their customers and trading practices as evidence of the companies’ affiliation with the IRGC was stolen, part of it was published (around 20 GB) with the rest to follow in the future.[14]
Aftermath Both Mobarakeh and Khouzestan Steel’s websites went offline, the production line in Khouzestan Steel was shut down for a few days. The cyber operation affected two areas: the production and the security system. The hacking group even gained access to the Telegram channel. The reason more damage was not done might be the restrictions on the electricity supply.[2]

An investigation of claims linking the cyber operation to Israel has been launched by Israeli Defense Ministry.[4] If a state is proven to have caused physical damage to the Iranian steel factory it may have violated international laws prohibiting the use of force, and provided Iran with legal grounds to hit back.[1] The cyber operation has also been put in the context with the Stuxnet attack.[1][12]

Analysed in Scenario 02: Cyber espionage against government departments

Scenario 03: Cyber operation against the power grid

Scenario 09: Economic cyber espionage

Collected by: Marek Kalinowski

  1. 1.0 1.1 1.2 1.3 1.4 1.5 1.6 1.7 Joe Tidy, Predatory Sparrow: Who are the hackers who say they started a fire in Iran?, BBC (11 July 2022)
  2. 2.0 2.1 Javad Motevali, Hacking Group 'Predatory Sparrow' Takes Down Steel Plants in Iran, IranWire (29 June 2022)
  3. Joe Tidy, Predatory Sparrow: Who are the hackers who say they started a fire in Iran?, BBC (11 July 2022); Isabel Debre, Large cyberattack on Iranian industrial sector targets three steel plants, The Times of Israel (28 June 2022)
  4. 4.0 4.1 Emanuel Fabian, Gantz orders probe after TV reports hint IDF behind Iran steel plant cyberattack, The Times of Israel (30 June 2022); Gil Baram, Cyber attacks by Iran and Israel now target critical infrastructure, The Washington Post (25 July 2022)
  5. Yonah Jeremy Bob, Iran’s steel industry halted by cyberattack, The Jerusalem Post (28 June 2022); BBC, Iran blames foreign country for cyberattack on petrol stations, BBC (27 October 2022)
  6. Joe Tidy, Predatory Sparrow: Who are the hackers who say they started a fire in Iran?, BBC (11 July 2022); Mathew J. Schwartz, Predatory Sparrow's Hacks: There's Smoke, There's Fire, BankInfoSecurity (12 July 2022); Jeremy Kirk, Wiper Malware Used in Attack Against Iran's Train System, DataBreachToday (30 July 2021)
  7. Jewish News Syndicate, Report: Iran attempted to raise chlorine in Israel’s water supply to dangerous levels, Jewish News Syndicate (1 June 2020); Joby Warrick and Ellen Nakashima, Foreign intelligence officials say attempted cyberattack on Israeli water utilities linked to Iran, The Washington Post (8 May 2020); Joe Tidy, Predatory Sparrow: Who are the hackers who say they started a fire in Iran?, BBC (11 July 2022)
  8. Isabel Debre, Large cyberattack on Iranian industrial sector targets three steel plants, The Times of Israel (28 June 2022)
  9. Yonah Jeremy Bob, Iran’s steel industry halted by cyberattack, The Jerusalem Post (28 June 2022)
  10. Jovi Umawing, Predatory Sparrow massively disrupts steel factories while keeping workers safe, Malwarebytes Labs (14 July 2022)
  11. Matthew Broersma, Iran Steel Plants 'Hit By Cyber-Attack', Silicon UK Tech News (28 June 2022)
  12. 12.0 12.1 Mathew J. Schwartz, Predatory Sparrow's Hacks: There's Smoke, There's Fire, BankInfoSecurity (12 July 2022)
  13. Cyberattacks: Predatory Sparrow targets Iranian factory, Verdict (19 July 2022)
  14. 14.0 14.1 14.2 AJ Vicens, Hacktivists claiming attack on Iranian steel facilities dump tranche of 'top secret documents', CyberScoop (7 July 2022)
  15. 15.0 15.1 Mathew J. Schwartz, Predatory Sparrow's Hacks: There's Smoke, There's Fire, BankInfoSecurity (12 July 2022); Joe Tidy, Predatory Sparrow: Who are the hackers who say they started a fire in Iran?, BBC (11 July 2022)
  16. Mihir Bagwe, Iranian Steelmaker Halts Production Following Cyberattack, BankInfoSecurity (27 June 2022)
  17. Yonah Jeremy Bob, Iran’s steel industry halted by cyberattack, The Jerusalem Post (28 June 2022)
  18. Federal Register, Notice of OFAC Sanctions Actions, U.S. Department of the Treasury's Office of Foreign Assets Control (16 January 2020)
Retrieved from "https://cyberlaw.ccdcoe.org/wiki/Predatory_Sparrow_operation_against_Iranian_steel_maker_(2022)?oldid=3480"