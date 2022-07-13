Joe Tidy

BBC News technology reporter

9 hours ago

Credit, Predatory Sparrow photo caption, The Iranian steel company moments before the fire

It is extremely rare for hackers, operating in the digital world, to be able to do real harm in the physical world.

But a cyber attack on a steel mill in Iran two weeks ago is being seen as one of those important and worrying moments.

A group of hackers called Predatory Sparrow claimed responsibility for the attack, which would have caused a serious fire. The group released a video to corroborate their claim.

The video appears to be security camera footage of the incident, showing workers leaving the factory before a machine starts spouting molten steel and fire. The video ends with people pouring water into the fire with hoses.

In another video that surfaced online, workers shout for firefighters to be called and describe damage to equipment.

The Predatory Sparrow, also known by its Persian name, Gonjeshke Darande, says it was one of three attacks it carried out on Iranian steel mills on June 27 in response to alleged acts of “aggression” carried out by the government.

The group is also sharing gigabytes of data it claims to have stolen from companies, including confidential emails.

On its Telegram messaging app page, Predatory Sparrow posted: “These companies are subject to international sanctions and are continuing their operations despite the restrictions. These cyberattacks are being carried out carefully to protect innocent individuals.”

That last sentence caught the attention of the cybersecurity world.

Clearly, the hackers knew they could be putting lives in danger, but apparently they went to great lengths to ensure the factory floor was empty before the attack — and they seem to be equally concerned about showing everyone how careful they were.

This has led many to wonder if Predatory Sparrow is a professional team of government-sponsored military hackers, who may even be required to conduct risk assessments before starting an operation.

“They claim to be a hacktivist group, but given their sophistication and high impact, we believe the group is either operated or sponsored by a nation state,” says Itay Cohen, director of cyber research at Check Point Software.

Credit, Predatory Sparrow photo caption, Predatory Sparrow has a Telegram channel, Twitter account and even a logo

Iran has been the victim of a number of recent cyberattacks that have had an impact on the real world, but nothing as serious as what is observed now.

“If this is a state-sponsored cyberattack causing physical damage — or, in the jargon of war scholars, ‘kinetic’ damage — that could be extremely significant,” says Emily Taylor, editor of Cyber ​​Policy Journal, which specializes in related to cyber security.

“Historically, the attack of the [vírus de computador] Stuxnet to Iran’s uranium enrichment facilities in 2010 has been highlighted as one of the few — if not the only — known example of a cyberattack causing physical damage.”

Stuxnet was a computer virus first discovered in 2010 that damaged or destroyed centrifuges at Iran’s uranium enrichment facility at Natanz, crippling its nuclear program.

Since then, there have been very few confirmed cases of physical harm.

Credit, EPA photo caption, Natanz nuclear complex has strong security and most important machines are underground

Possibly the only example happened in 2014 in Germany. An annual report by the German cyber authority says a cyberattack caused “enormous damage” to a steel factory, causing an emergency shutdown. But the details were not revealed.

Other cyberattacks that could have caused serious damage were not successful. For example, hackers have tried but failed to put chemicals in the water by taking control of water treatment facilities.

It is more common for cyberattacks to cause major disruptions—like transport networks, for example—but without actual physical damage.

Emily Taylor says it’s important to know if the attack came from another government. If a state has proven to have caused physical harm to the Iranian steel company, it may have violated international laws prohibiting the use of force, giving Iran legal arguments to fight back.

But if Predatory Sparrow is a state-sponsored military hacking group, which country would it be representing? The group’s name — a play on the name of the Iranian cyber warfare group Charming Kitten — could be a clue suggesting it is a country with a keen interest in Iran.

The 2010 Stuxnet attack is believed to have been carried out by Israel, with US support. And this time the rumors linking the Predatory Sparrow attack to Israel were big enough to provoke a response from the Israeli government.

According to Israeli media reports, Defense Minister Benny Gantz ordered an investigation into leaks that led Israeli journalists to insinuate that Israel was behind the attack. He is concerned that Israel’s “policy of ambiguity” in its operations against Iran may have been breached.

“If this cyber attack is state-sponsored, then of course Israel is the prime suspect. Iran and Israel are in a cyber war, and officially both states recognize that,” says Ersin Cahmutoglu of ADEO Cyber ​​Security Services in Turkey.

“Both states organize mutual cyberattacks through their intelligence services, and there has been an escalation since 2020, when Israel retaliated after Iran launched a failed cyberattack on Israeli water infrastructure systems and attempted to interfere with the chlorine level. .”

photo caption, Predatory Sparrow modified road signs to spread chaos in Iran

In October of last year, Predatory Sparrow claimed responsibility for an attack that shut down Iran’s national payment system at gas stations. The group also said it was behind an attack that hijacked digital billboards on highways, causing them to display a message saying, “Khamenei, where is our fuel?” — a reference to the country’s supreme leader, Ayatollah Ali Khamenei.

The hackers showed a degree of responsibility in alerting Iran’s emergency services in advance of the potential chaos that could ensue.

Check Point researchers say they also found code in the malicious software used by Predatory Sparrow that matches that used by another group, called Indra, which hacked into Iranian train station screens in July last year.

According to Iranian reports, hackers indicated on information boards at stations across the country that trains had been canceled or were delayed and asked passengers to call the Supreme Leader.

But experts say the attack on the steel factory is a sign that the danger is mounting.

Credit, FARS photo caption, In August 2021, train station panels were hacked, causing confusion for train passengers

According to the CEO of the Mobarakeh Steel Company, where the fire would have taken place, the plant’s operations were not affected by the attack and no one was injured. The two other companies targeted also said they had no problems.

Nariman Gharib, an Iranian opposition activist based in the UK and independent cyber espionage researcher, is convinced the video is genuine. He notes that two other videos of the fire were also posted on Twitter.

“The attack was real, as workers recorded a video from another angle and we saw a statement posted on the Telegram channel of a company about the suspension of the production line, which was later denied.”

He fears a boundary has been crossed.

“If Israel is behind these attacks, I think they are showing that they can do real damage rather than just disrupting a service. It shows how quickly things can get worse.”