Commentary from Yossi Rachman, Director, Security Research, Semperis
December 2023 by Yossi Rachman, Director of Security Research, Semperis
The comment below from Yossi Rachman, Director, Security Research, Semperis on the Iran gas station cyber attacks.
With today’s cyberattack in Iran paralysing most of the country’s gas stations, it is a reminder how groups such as Predatory Sparrow are using offensive cyber capabilities to strike back at Hamas and countries that sympathise with them. This is not a random strike, and it was planned out in advance. Time will tell how damaging the attack has been. But know that if access to oil and gas stretches later into the week disruptions will become more widespread.
From what I have observed and reviewed thus far from the Predatory Sparrow groups various communications channels, they compromised at least one server through-which they took control of Iran’s gas stations central management system, by compromising the technical support or other administrative privileged accounts within the system and have been able to obtain sensitive gas station data & payment details.
We can only speculate at this time about Predatory Sparrow’s motives behind today’s brazen attacks. First, the attacks might not be connected to other objectives or campaigns, and it is just a warning shot over the bow of the Iranian government showing what they are capable of doing in the future. However, we should also consider that the attack was perpetrated by a nation-state for their own offensive military operations or intelligence gathering purposes. And there is the possibility the group was knowingly or unknowingly sponsored by a nation state, and the stolen personal and payment data exfiltrated from the Iranian gas stations systems could serve as their payment.
It is worth mentioning that the attack is controlled in its impact, as 30 percent of the gas stations were left unharmed by Predatory Sparrow, and that emergency services in Iran were allegedly warned in advanced through a Skype chat. In fact, Predatory Sparrow stated in a Telegram channel post that ‘they issued a clear warning before the operation began and ensured a portion of the gas stations across the country were left unharmed.’
At this time, critical infrastructure operators in the U.S. at least are primarily privately owned entities, including organisations such as Colonial Pipeline, which suffered from a widespread breach in 2021 at the hands of the Russian-linked DarkSide gang, disrupting oil and gas distribution for days up and down the eastern seaboard. For all critical infrastructure operators, pause for just a minute today and remind yourselves that you can do a better job of building resiliency and more effective cyber defense capabilities in your networks.