Iranian Steelmaker Halts Production Following CyberattackHackers Also Claim Attack on 2 Other Steel Manufacturers
A major Iranian steel producer halted operations with a self-styled hacktivist group taking credit for an industrial system hack leading to a production-line explosion.
Recently identified threat actor Gonjeshke Darande - it means "Predatory Sparrow" in Persian - released video on Twitter purporting to show a foundry in the Khouzestan Steel Company going up in flames as the result of a cyberattack.
The group claims to have also targeted two other state-owned steel plants: Mobarakeh Steel Company, the largest steel producer of the Middle East, and the Hormozgan Steel Company. Information Security Media Group could not immediately establish the veracity of the claims.
The Khouzestan Steel Company acknowledged shutting down due to a technical failure, Saudi-sponsored TV news station Iran International reports, adding that machines weren't actually damaged due to an electricity blackout.
Khouzestan Steel CEO Amin Ebrahimi told the semiofficial Mehr News Agency that attackers had been stopped from causing damage that would affect supply chains and customers and added that he expects the factory to return to normal by the end of today.
Today, we, "Gonjeshke Darande", carried out cyberattacks against Iran's steel industry which affiliated with the IRGC and the Basij: the Khouzestan Steel Company (KSC), the Mobarakeh Steel Company (Isfahan) (MSC) and the Hormozgan Steel Company (HOSCO).
1/2— Gonjeshke Darande (@GonjeshkeDarand) June 27, 2022
The hackers posted screen grabs of a software panel of one of the targeted plants. It is not clear which plant they allegedly targeted or how they gained access to the systems. A tweet from Certfa Lab, a nonprofit cybersecurity and privacy group that caters to Persian-speaking audiences, says the software panel shown belongs to Irisa Company, which specializes in network services and industrial infrastructures.
در تصویر دیگری که از سوی هکرها منتشر شده، پنل نرمافزاری متعلق به شرکت ایریسا رو میشه دید که این شرکت در حوزه اتوماسیون صنعتی فعالیت میکنه و مهمتر اینکه خدمات شبکه و زیرساخت صنعتی ارائه میده! بنابراین، بعید نیست خود این شرکت، یکی از سرمنشاءهای دسترسی هکرها بوده باشه. pic.twitter.com/XBvuQkWcPF— Certfa | سرتفا (@certfalab) June 27, 2022
"It is unlikely that the company itself was one of the sources of hacker access," Certfa says. Hackers may have gained access through a vulnerability in third-party software and not through a direct cyberattack on the steel manufacturer's infrastructure.
Cybersecurity researcher "the grugq" says the level of effort that the attackers apparently took to make sure the Khouzestan Steel attack did not harm people is noteworthy.
"Not only did they take pains to ensure this, but they also made it a pillar of their announcement, along with proof that they took those steps. This team wanted to make clear what they believe responsible offensive cyber looks like. And they have. I think this is how norms will be created, not in academic or policy papers," he writes in his daily newsletter.
Motive Behind the Attack
The U.S. Department of the Treasury's Office of Foreign Assets Control in January 2020 sanctioned all three firms. Predatory Sparrow says it is frustrated that production continues despite the sanctions.
Iran's crude steel-making capacity is expected to increase by more than 15 million metric tons between 2021 and 2023, according to the Organization for Economic Cooperation and Development.
The hacker group says its intent is to stop cash flow generation, and it is retaliation for the Islamic Republic's aggression against neighboring countries and the West. The three steel manufacturers are affiliated with the Islamic Revolutionary Guard and Basij, a paramilitary volunteer militia established by Iranian Revolution leader Ayatollah Khomeini, the hacker group says.
Predatory Sparrow was also likely involved in an October 2021 cyberattack. It claimed responsibility for attacking systems of the National Iranian Oil Product Distribution Company that governs fuel subsidies in Iran. The attack indirectly hit all fuel stations in the country and left many citizens without fuel, as smart cards used at fuel pumps became inoperable (see: Cyberattack Reportedly Cripples Iran Gas Stations).
This incident affected 4,300 fuel stations across the country, the Islamic Republic News Agency reported at the time, citing Abul-Hassan Firouzabadi, secretary of the Supreme Council to Regulate Virtual Space in Iran.
The hacker group claimed at the time that it had contacted relevant emergency entities before the attack to give them time to prepare. It also claimed to have reported the vulnerability it abused under payment service provider Ingenco's responsible disclosure process. Ingenco's vulnerable point of sale machines were allegedly used at the gas pumps in Iran.