Predatory Sparrow Hacker Group claim Iranian Steel Cyber Attack

On the 27th of June 2022, three state owned industrial steel companies’ (Khuzenstan, Moborakeh and Hormozgan) mills were the targets of a cyber attack, the worst hit mill having production brought to a complete halt. Khuzenstan claimed that security measures, alongside a rapid and vigilant response, meant the damage dealt to the production line was minimal. However, IranWire claim sources within the companies told them the reason no serious damage took place was due to restrictions on the electricity supply. This meant their production lines were switched off, reducing potential damages but implying the potential for a more devastating attack in production facilities where these measures have not been taken. The sources also suggested the repairs took longer than the state told news outlets.

The attack took control of the sites’ systems, causing machinery to malfunction and spew molten steel, causing significant fire damage. This is an interesting instance of a cyber attack as it is a rare occurrence to cause physical damage during a remote attack. One of the largest instances of physical damages previously was the 2010 Stuxnet attack; an attack also on Iran, however, on that occasion causing significant damages to the nuclear centrifuges at Iran’s uranium enrichment facility in Natanz. Whilst rare, the potentially devastating results of the latest attack set a precedent which should alarm industrial facilities around the world. 

The Iranian National Cyberspace Center have blamed the attack on foreign enemies; while the Head of cyber research at Check Point Software made note of the attack's competence leading them to believe it was nation-state operated. Other experts also speculate the deliberate safeguarding of civilians during the incident to be signs of a military risk assessment having taken place before the attack. The Implication of this is important; if another nation state did attack Iran, causing physical damage, it would break international law barring the use of force and grant Iran the right to retaliate.

Foundry photo created by fanjianhua

Gonjeshke Darande (Predatory Sparrow), a “hacktivist” group with ties to Israel, posted a video online soon after the attacks claiming responsibility. The video showing the physical damage was tweeted out along with screenshots from the factory's industrial control dashboard. Closed-circuit footage from the Khuzestan Steel factory floor was also uploaded as evidence of their infiltration. Since the attack, the group has also been releasing private emails and documentation they claim to have taken from the attacked steel mills. The hacking group stated their rationale behind the attack was to target the Islamic Republic due to the companies affiliation with the Islamic Revolutionary Guard Corp and Basij. The companies were continuing to operate despite having international sanctions placed on them to stop.

The attack on the steel mills were just the latest in a long line of cyber attacks between Israel and Iran. Predatory Sparrow previously claimed responsibility for nationwide cyber offences on Iranian governmental systems controlling petrol stations across Iran. They did this by stopping sales when trying to buy petrol with a government issued card, a system relied on by most Iranians to fuel their vehicles.

These attacks highlight the importance of securing your OT environment. Not protecting your system adequately from malware can be costly, time consuming and dangerous depending on the confidentiality of data taken, but a large portion of lost data can be mitigated with appropriate and regular back ups.

However, physical damage often cannot be recovered in the same way and, in many cases it can prove to be a danger to human life as these attacks and the resultant fires prove. If you are worried you may be susceptible to cyber attacks, then contact us today to see how we can help you secure your assets and ensure the safety of your networks. Contact Awen for a no obligation chat today!




Jake Hearn
Cyber Technologist
LinkedIn Profile