An Israeli-linked hacker group claims to have carried out a major cyber-attack on Iranian petrol stations, knocking 70% of them offline on 18 December. Predatory Sparrow, or “Gonjeshke Darande” in Persian, said it launched the “controlled” attack in response to “aggression” by the Islamic Republic and its proxies in the region. “This cyber attack was carried out in a controlled manner to avoid potential damage to emergency services,” the group said.
Addressing Iran’s Ayatollah Ali Khamenei, their supreme leader, it added: “Khamenei, playing with fire has a price.” Iran’s civil defense agency, which is responsible for cyber security, said it was considering all possible causes for the disruption, including outside interference. Iran’s oil minister, said: “At least 30 per cent of gas stations are working, with the rest gradually resolving the disruption in services.” He later added that 1,650 petrol stations were operational. The ministry supervises 3,800 petrol stations.[1]
A spokesman for Iranian petrol station associations, blamed the shutdown on a software issue. “A software problem with the fuel system has been confirmed in some stations across the country and experts are currently fixing the issue,” he told Fars, a pro-regime Iranian news agency. A broadcast on Iranian state TV on the 18th said that the repairs to fuel station payment machines would take about six to seven hours, and that until then Iranians should buy fuel manually.
Iranian officials have denied that the attack was a response to plans to hike fuel prices, a move that caused widespread protests in 2019. Iran also saw massive anti-regime protests in 2022 which left hundreds dead after a brutal crackdown by the country’s security forces. The major cyber-attack comes two years after a similar incident in October 2021 when Predatory Sparrow claimed to have knocked out Iran’s fuel services by deactivating service machines and government-issued cards used to buy subsidized petrol. These fuel cards were first introduced in 2007 with a view to reforming the subsidies system and curbing large-scale smuggling.
Predatory Sparrow has previously claimed responsibility for cyber-attacks on the Iranian railway system, as well as the state-owned Khuzestan Steel Company, which was forced to temporarily stop production after being targeted in June last year.
While the group has a Persian-language name, suspicions have swirled for years about the group having close ties to Israel, Iran’s arch-foe in the Middle East. The Times of Israel reported that the group is “believed to be linked to the Israeli Military Intelligence Directorate,” one of the country’s main intelligence bodies alongside Mossad and Shin Bet. For years Israel has been locked in a so-called shadow war with Iran, with the two sides attacking each other’s ships and ports, as well as other key infrastructure. Israel had not commented on the fuel station hack as of this report, but it did release a statement accusing Iran and the Iranian proxy group Hezbollah of a failed cyber-attack on an Israeli hospital.
In a statement, Israel’s National Cyber Directorate said: “Iran and Hezbollah were identified as the entities behind an attempted cyber-attack on Ziv Medical Center during the ongoing Swords of Iron war. “The attack, orchestrated by Iran with the involvement of Hezbollah cyber group, aimed to disrupt the hospital’s operations but ultimately failed.”
Cyber-security experts said attacks like the one on Iran’s fuel stations usually involved malware or phishing techniques, and sometimes a global team of hackers. A British cyber-security consultancy Pure Cyber, said: “The alarming capability of cyber-criminal gangs to launch large-scale attacks stems from a combination of advanced technological expertise, sophisticated hacking tools, and often, a network of global operatives. These groups exploit vulnerabilities in systems, use malware and phishing techniques, and frequently leverage the anonymity and vast resources of the dark web.” He added: “Their organizational structure often mimics that of legitimate businesses, with specialized teams focusing on different aspects of cybercrime. This professional approach, coupled with a disregard for legal boundaries, enables them to orchestrate attacks of significant scale and impact.”
This article is presented at no charge for educational and informational purposes only.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. Call for assistance. For questions, comments, a demo or assistance, please contact the office directly at 1-844-492-7225, or feedback@redskyalliance.com
Weekly Cyber Intelligence Briefings:
Reporting: https://www.redskyalliance.org/
Website: https://www.redskyalliance.com/
LinkedIn: https://www.linkedin.com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://attendee.gotowebinar.com/register/5993554863383553632
[1] https://news.yahoo.com/israeli-linked-hacker-group-behind-141132593.html
Comments