By: Niels Brink
Picture credits: Predatory Sparrow logo
As molten steel sprayed across the floor of a factory in Khuzestan, Iran in June 2022, a group known as Predatory Sparrow (or Gonjeshke Darande in Persian) was likely celebrating. It presumably had just pulled off one of the rarest types of cyberattacks in existence, one which caused physical damage, following in the footsteps of the infamous Stuxnet attack. However, the mysterious group remains relatively unknown, prompting a deeper dive into its workings and the attack itself.
On June 27th, the Predatory Sparrow group claimed to have successfully targeted three Iranian steel factories, resulting in a fire at a site operated by the state-owned Khuzestan Steel Company, one of Iran’s largest factories. On Twitter, the group released CCTV footage from inside the factory, showing staff leaving the floor and one of the machines subsequently starting to spew molten steel. The video paints a scene of destruction, however, various sources, including spokespeople from the two impacted companies, announced that the damage was limited as much of the factory’s machinery was switched off at the time of the attack.
How was the attack conducted?
Though Predatory Sparrow only conducted its attack recently, cybersecurity firm Check Point’s research team, published some findings on the malware used, called Chaplin. It was able to connect Chaplin to attacks against Iran Railways in 2021 and to attacks against Syrian companies in 2019, which were executed by a group called Indra. Unlike its predecessors, Chaplin cannot delete files on the targeted systems. Instead, it logs off the user, deletes the user’s login information to prevent the user from intervening in the attack, and allows the attackers access to the targeted system. From there, the group managed to gain access to the steel-production machinery.
In addition to the physical consequences of the cyberattack, Predatory Sparrow claims to have extracted confidential corporate documents from the targeted factories, which show the facilities’ affiliation with Iran’s Islamic Revolutionary Guard Corps (IRGC). While the group has released multiple parts of these files, their authenticity has not yet been confirmed.
Why target Iranian steel factories?
One needs not to search long for a motive for the attack on the steel mill, as the group publicly claims to have targeted Iran for “aggression of the Islamic Republic”. The group has also previously targeted the Iranian government through cyberattacks targeting Iran’s infrastructure in 2021, but those attacks did not cause physical damage, which is why this latest attack stands out. As for why these specific targets were selected, the group claims that the targeted steel companies were affiliated with the IRGC, Iran’s national security force. Despite international sanctions being levied against the targeted steel companies, Predatory Sparrow claims the companies continued their operations. As a result, the group likely aimed to call attention to this fact and disrupt their businesses.
Who is behind Predatory Sparrow?
While Predatory Sparrow claims to be a ‘hacktivist’ group, various sources have expressed doubt about that statement. In an interview with the BBC, Itay Cohen, head of cyber research at Check Point Software, claimed that “given their sophistication, and their high impact, we believe that the group is either operated or sponsored by a nation-state”. Indeed, possessing the knowledge, resources, and access required to execute this attack would be extremely difficult for independent hacking groups.
Another cause for doubt is the fact that Predatory Sparrow deliberately waited to execute its attack until the staff had vacated the factory floor, also heavily emphasising this in its messaging after the attack. This has led some to believe that the group did not do this out of courtesy, but because it may have been legally obligated to prevent harm to the staff, which is behaviour usually more prone to state actors than non-state actors.
Furthermore, its emphasis on preventing harm to the staff led them to attack at 5.15 in the morning, when a large number of systems were switched off due to electricity supply shortages, significantly limiting the damage. Whether or not the group knew this is unclear, but it could have caused significantly more harm if it had sprayed the molten steel across the work floor when it was filled with people.
Given these factors, Israel is considered the most likely state perpetrator, especially because of its ongoing cyberwar with Iran. A notable example of the impact of this conflict, the infamous Stuxnet attack, is widely believed to have originated from the US and Israel. Additionally, last year, Israel accused Iran of an attempted cyberattack targeting its water supply. Recent leaks from the Israeli defence department have claimed that its intelligence agency, Unit 8200, conducted the attack on the Iranian steel factories as a retaliation for an Iranian cyberattack that activated rocket sirens in Jerusalem and Eilat. These leaks prompted the Israeli Defence Minister Gantz to initiate an investigation, at which time he expressed concern that the leaks had harmed Israel’s ‘policy of ambiguity regarding Iran.
While this aspect of the group may seem trivial, it could have significant consequences. If a state actor indeed was behind the attack, it may legally entitle Iran to take defensive countermeasures that would normally violate international law. In response to cyberattacks, countermeasures are not allowed to be punitive in nature. However, if Israel, through Predatory Sparrow, caused physical damage to Iran through a deliberate attack, Article 51 from the UN Charter would legalise self-defence measures.
In comparison, if Predatory Sparrow turns out to be a hacktivist group, as it claims to be, international laws regarding self-defence would not apply. Instead, the perpetrators would be punished according to domestic laws. But this process requires the physical presence of the perpetrators, which is extremely rare in cases of cyberattacks.
Aside from the legal aspects of the attack, if Israel is indeed behind Predatory Sparrow, its actions will likely have a significant political impact. As Nariman Gharib, an Iranian activist and cyberespionage investigator explains: “If Israel is behind these attacks, I think they are showing that they can do real damage rather than just disrupting a service. It shows how things can quickly escalate.” And in his prediction of rapid escalation, Gharib has quickly been proven correct. Iran has already started signalling its belief in Israel’s involvement in the attack through attacks of its own. After a recent ransomware attack by Iranian state-sponsored hackers targeting the Albanian government, the hackers left behind an image which shows an eagle praying on Predatory Sparrow’s logo, which is surrounded by a Star of David.
The image left behind after the ransomware attack on Albania.
While Israel was not the target of this attack, the Iranian government seemingly believes that the Mujahedin-e Khalq (MEK), an Iranian opposition group which was exiled to Albania, is also affiliated with Predatory Sparrow. This could offer a compelling explanation as to why Albania was the target of this attack, though it should be noted that the Iranian state-sponsored hackers gained access to the Albanian government’s systems in May 2021 – more than a year before Iran launched its attack.
Why is this attack special?
While cyberattacks have become a normal part of everyday life, they generally do not cause physical harm. They may harm the functionality of certain physical systems such as computers, disrupting the target’s operations, but they usually do not affect industrial equipment in a way that would allow them to cause physical damage. This is because developing malware for these so-called Industrial Control Systems (ICS) requires physical copies of the target systems, including the software versions running on them. Interestingly, Iran experienced the first and best-known instance of such an attack in 2010, when Stuxnet malware was used to physically damage almost a thousand nuclear centrifuges. Given these difficulties, attackers generally prefer deploying ransomware, which is significantly easier to do. This is what makes those cyberattacks that cause physical damage so infamous.
Another notable feature of this type of attack relates to target selection, which often includes industries that play a vital role in society, or which could cause significant harm if disrupted. The aforementioned Stuxnet attack targeted nuclear centrifuges, while a 2014 cyberattack caused significant damage to a German steel mill, and an attempted attack in 2021 aimed to poison the water supply of a city of 15,000 in Florida, United States. The reason for this lies in the modernisation of the systems that control the machinery in these facilities.
As Verdict, a British data firm, explains, recent trends have led to a marriage between Operational Technology (OT), which refers to the machines that physically operate the industrial machinery, and Information Technology (IT), which refers to the use of computers and software. This has resulted in the, generally older, OT aspects of these facilities being connected to the internet so they can be monitored and optimised. However, this has also caused those same OT aspects to be exposed to cyberattacks, which presents a problem as they are often not adequately protected or cannot be protected due to their age, as well as for other reasons. Consequently, Verdict predicts that we will see more attacks that exploit OT in the future, causing significant physical damage.
What does this attack show us?
Predatory Sparrow’s recent cyberattack has demonstrated the increasing need to improve OT security and the potential impact cyberattacks can have on these critical facilities. As Alan Woodward from the University of Surrey explains: “The truth is some are ageing to the point where they are almost inviting attack. So maybe that next round of funding should include technology refreshes for all networks.” While these attacks remain extremely rare, the stakes involved in the compromise of OT networks of water treatment plants, nuclear enrichment programmes, electricity grids, and now steel production companies, are enormous.
And this brings us to the main lesson that can be learned from this attack. Especially now, when Europe is struggling to ensure its energy and electricity supply, we should carefully examine the threats our OT networks are facing. While recent events in Ukraine around the fighting over the Zaporizhzhia nuclear powerplant have reignited discussions over the security of our industrial machinery, the OT security aspect is still not in the public debate.
The energy crisis has also forced European countries to re-evaluate their decisions regarding the phase-out of certain forms of energy production. Germany, for example, recently reversed its decision to phase out all nuclear power plants by the end of 2022, opting to keep two reactors open until April 2023 at least. If OT security is already a problem for operational facilities, one has to wonder how committed operators are to their cybersecurity when the closure is already imminent.
Note: The Predatory Sparrow’s logo, retrieved from the group’s Twitter profile.