Predatory Sparrow's Hacks: There's Smoke, There's Fire

Hack Attacks That Affect Operational Security Environments Remain Rare
Predatory Sparrow's Hacks: There's Smoke, There's Fire
Fire allegedly caused by hackers in June at Iran's Khouzestan Steel Company, apparently captured on CCTV (Source: Twitter)

Has there been a sudden increase in the danger posed by online attacks to industrial environments?

On June 27, a hacking group calling itself Gonjeshke Darande posted to Twitter a video of it allegedly using a remote hack attack to set fire to a steel foundry in Iran run by state-owned Khouzestan Steel Company.

The attackers - the moniker is Persian for "Predatory Sparrow" - claimed to have also disrupted two other state-owned foundries, saying their motive was to prevent the businesses from continuing to operate and sell their wares, which they did despite coming under U.S. sanctions.

"I'm in two minds as to whether this is a new trend in cybercrime or something that has caught the headlines precisely because it is so unusual," says cybersecurity expert Alan Woodward, a computer science professor at the University of Surrey. "It's a reminder, if one was needed, that cyberattacks can lead to physical damage. It's really quite rare but in this case it was almost as if they wanted to make the point that they could do it."

Much about the group suggests it's not just any old group of hacktivists, including its chosen name, which may be a riff on Charming Kitten, which is the codename assigned by cybersecurity firm FireEye to an Iranian military nation-state hacking group.

Fuel and Train Disruptions

Predatory Sparrow claimed credit in October 2021 for an online attack that resulted in an hourslong disruption for many Iranians trying to fill up their cars at gas stations. Fuel pumps reportedly displayed a message that read "cyberattack 64411." The number refers to the phone number for Iran's supreme leader, Ali Khamenei.

Meanwhile, malware used in last month's foundry attacks "is connected to the attacks against Iran Railways" in July 2021, reports cybersecurity firm Check Point's research team. That effort disrupted systems involved in train travel and also added a message to train station display boards urging travelers to phone 64411 for more information.

Is Group Run by Israel?

Is Predatory Sparrow a state-sponsored hacking group?

"They claim themselves to be a group of hacktivists, but given their sophistication, and their high impact, we believe that the group is either operated, or sponsored by, a nation-state," Itay Cohen, head of cyber research at Check Point Software, tells the BBC.

In late June, multiple Israel news outlets suggested that the head of the country's military had recently visited a military intelligence unit, at which he viewed and celebrated footage of the Iranian foundry fire. Israeli Defense Minister Benny Gantz subsequently ordered his ministry to investigate the apparent leaks to the media, the Times of Israel reported.

Such Attacks Dangerous, But Rare

Defenders of networks and systems used in industrial environments face numerous challenges. The industrial controls systems, or ICS - which are often comprised in parts of systems to handle supervisory control and data acquisition, or SCADA - are designed to last for 10, 20 or more years. Older systems may never have been designed to be internet-connected. Any scenario - not just for industrial cybersecurity - that involves "bolting on" security, after the fact, can create vulnerabilities hackers might exploit, experts warn.

Such attacks remain rare. Stuxnet still stands as one of the best-known industrial cybersecurity attacks, involving malware designed to spin Iranian centrifuges at high speeds to cause them to fail. Stuxnet, which was discovered in 2010, is widely believed to have been the result of a project run by the U.S. and Israel.

Iran has been blamed for OT attacks as well, including 2013 breaches of systems at the Bowman Dam in Rye, New York, as well as an April 2020 attack that attempted to raise the chlorine levels in an Israel pumping station to hazardous levels. A handful of other, unattributed attacks have also targeted ICS environments, including at a water treatment plant in Florida.

Convergence Adds Challenges

Keeping OT environments secure remains challenging, not least because of increasing convergence between IT technologies and OT environments, Lesley Carhart, director of incident response at industrial cybersecurity firm Dragos, said in an interview at last month's RSA Conference in San Francisco.

"So instead of building their own switches for industrial applications and protocols and computers, now they're using Windows, they're using Cisco, they're using Juniper - all familiar IT technologies," filled with all-too-familiar vulnerabilities and patching requirements, Carhart says.

The pandemic added further challenges, not least because of the heavy reliance on remote access. "Of course, when we're talking about OT cybersecurity, we're talking about places where there's high risk of life and safety, danger and damage to equipment, so physical, real-life things," Carhart says. "Connecting things to remote access during the pandemic caused risk everywhere. The risk can be much more substantial in environments where the result of a cyberattack could be somebody dying - as opposed to just a loss of data."

Difficulties for Attackers

Most ICS environments are unique. If attackers want to disrupt the environment, experts say they will typically need to create a laboratory with physical versions of the same equipment, including the actual system updates and patches being used. Hence while such attacks can be executed, they tend to be time-intensive to develop and difficult to scale.

Such challenges have not changed. Nor has the impetus to keep such environments secure, not least as new vulnerabilities in the ICS, SCADA and other systems in these environments inevitably come to light and getting them patched so often lags.

One upside is that for criminals, time is money, and the University of Surrey's Woodward says it remains quicker and easier to deploy ransomware, for example, than to try and develop malware that might disrupt an ICS environment.

Nevertheless, OT networks are not static, and neither should be underlying efforts in the people, process and technology required to keep them secure, he says.

Hence one takeaway from the fires allegedly caused by hackers at Iranian foundries is the need to remain vigilant. "Perhaps the people that this should be aimed at are those inside organizations making financial decisions, as it is all too easy to see these networks as unimportant and unlikely to be attacked," Woodward says. "The truth is some are aging to the point where they are almost inviting attack. So maybe that next round of funding should include technology refreshes for all networks."

About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.