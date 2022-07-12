Joe Tidy

Cyber ​​Security Correspondent, BBC

2 hours

image source, Predatory Sparrow

It is very rare that hackers, operating in the digital world, cause damage in the physical world.

But the cyber attack on a steelmaker in Iran two weeks ago seems to show that this rule is not set in stone.

A group of hackers called Predatory Sparrow (“predatory sparrows”, in Spanish) assumed responsibility for the attack, which according to the group caused a serious fire in the steel mill facilities.

Likewise, the group released a video containing images recorded by the security cameras of the attacked factory and in which the workers of the plant are seen leaving before a machine began to spit. molten steel and fire. The recording ends with people trying to put out the flames with hoses.

To view this content, please enable JavaScript, or try another browser Video Title, The Predatory Sparrow hacker group claims responsibility for a fire in an Iranian factory.

In another video that has surfaced online, staff at the facility can be heard shouting for firefighters and describing damaged equipment.

The start of the war

The “predatory sparrows”, also known by their Persian name Gonjeshke Darande, claim that this incident was one of three attacks they carried out against Iranian steelmakers on June 27, in response to unspecified acts of ” aggression” carried out by the Islamic Republic.

image source, Predatory Sparrow Caption, “Predatory sparrows” even have a Twitter account and a Telegram channel, from where they spread their actions.

The group has also started sharing gigabytes of data it claims to have stolen from companies, including sensitive emails.

“These companies are subject sinternational sanctions and continue their operations despite the restrictions. These cyberattacks are carefully carried out to protect innocent individuals,” the “predatory sparrows” said on their Telegram page.

It is clear that the hackers know that their actions put lives in danger, but it seems that they have tried to avoid collateral damage and ensured that the factory was empty before launching their attack. Some precautions that they have also wanted to bring to light.

This has led many to question whether the group is a professional, regulated team of state-sponsored military hackersso they might even be required to carry out risk assessments before launching a stock.

“They claim to be a group of hacktivists, but given their sophistication, and their high impact, we believe the group is operated, or sponsored, by a country,” says Itay Cohen, head of cyber research at Check Point Software, an Israeli firm. specialized in computer security.

Iran has been the victim of a series of recent cyberattacks They have had a real world impact, but nothing as serious as this.

“If this turns out to be a state-sponsored cyberattack causing physical damage – or in war studies parlance ‘kinetic’ – it could be hugely significant,” says Emily Taylor, editor of the Cyber ​​Policy Journal.

image source, EPA Caption, Iran’s Natanz nuclear plant is highly protected and its most sensitive equipment is underground.

Making memory

“Historically, the Stuxnet attack on Iran’s uranium enrichment facility in 2010 stands out as one of the few – if not the only – known example of a cyber attack causing physical damage,” adds Taylor.

Stuxnet was a computer virus first discovered in 2010 that damaged or destroyed centrifuges at Iran’s uranium enrichment facility at the ultra-secure Natanzhampering its nuclear program.

Since then there have been very few confirmed cases of physical harm. Possibly the only one occurred in Germany in 2014. The German cyber authority’s annual report stated that a cyberattack caused “massive damage” to a steel factory, causing it to close, but i never knowthey went more details.

There have been other cyberattacks that could have caused serious damage, but were unsuccessful.

For example, hacking groups tried unsuccessfully to add chemicals to the water supply by taking control of water treatment facilities.

Caption, “Predatory sparrows” also hacked electronic signs on Iranian highways.

It is more common for cyber attacks to cause disruptions – in transportation networks, for example – without causing actual physical damage.

Taylor says this is an important distinction, because if it is proven that a State caused physical damage to the Iranian factory may have violated international laws prohibiting the use of force, and to givewent give Iran legal grounds to strike back.

the usual suspect

But which country could be behind the group? Its name, a pun on the name of the Iranian cyber warfare group Charming Kitten, could be a clue suggesting that it is a country with a strong interest in Iran.

The attack is believed to Stuxnet was carried out by Israel, with the support of the United States. And suspicions about the origin of the “predatory sparrows” also point to Israel, something that has provoked an angry reaction from the government of that country.

Israeli Defense Minister Benny Gantz has ordered an investigation into journalists who have claimed that Israeli military forces are behind the attack on the Persian plant, the press revealed.

The government decision reveals that the minister is concerned that Israel’s “policy of ambiguity” in its operations against Iran has been broken.

In October last year, predatory sparrows claimed responsibility for disconnecting Iranian gas stations from the national payment system. The group also claimed to have been behind a hack that hijacked digital billboards on highways, causing them to display a message that read: “Khamenei, where is our fuel?”-a reference to the country’s supreme leader, Ayatollah Ali Khamenei.

In the latter case, the hackers sought to minimize the chaos they would create by warning the emergency services of their action in advance.

More evidence

Check Point researchers say they have also found in the malware used by the sparrows a code that matches that used by another group, called Indra, which hacked the screens of Iranian train stations in July last year.

According to Iranian news, hackers posted on information boards at stations across the country that trains were canceled or delayed, and urged passengers to call the supreme leader.

image source, FARs Caption, Last August, Iranian train station signs were also hacked.

But experts say the attack on the steel factory is a sign that the stakes are becoming more important.

According to the CEO of the Mobarakeh steel company, where the fire broke out, the operations of the plant were not affected by the attack and no one was injured.

Two other companies were also attacked and said they had no problems.

Nariman Gharib, an Iranian opposition activist in the UK and an independent cyber espionage investigator, is convinced the factory was hit.

“The attack was realas the workers recorded a video from another angle and we saw a statement published on a company’s Telegram channel about the suspension of the production line, which was later denied,” he added.