Rewterz Threat Update – Israel-Linked “Predatory Sparrow” Hacktivist Group Disrupted Operations at About 70% of Iran’s Fuel Stations

Severity

High

Analysis Summary

A hacktivist group linked to Israel dubbed Predatory Sparrow (or Gonjeshke Darande in Persian) has carried out cyberattacks against petrol stations across Iran. Iran’s state TV and Israeli local media reported that the attack took place on Monday and has put a halt to services at 70% of the fuel stations in the country.

The cyberattack had the most impact on Tehran, the capital of Iran, where many petrol stations were forced to operate manually. The oil minister stated that the attack disrupted about 70% of the stations in Iran and that the attack was launched by a foreign actor. At least 30% of the fuel stations are still working and the rest are working on restoring their services. The oil ministry also said that they have no plans to increase fuel prices.

The civil defense agency of Iran, responsible for the cybersecurity of the country, said that it is still investigating and looking into all possible causes that caused the disruption. The Iranian state TV reported recently that the Predatory Sparrow group claimed responsibility for the attack and that the cyberattack was performed in a controlled manner.

This isn’t even the first time Predatory Sparrow has carried out a cyberattack against Iran. Near the end of January this year, the group said it was responsible for a wiper attack against the national media corporation of Iran called the Islamic Republic of Iran Broadcasting (IRIB). The hacktivists were also behind the attacks against the national railway services in July 2021, the Iranian petrol stations in October 2021, and the transportation ministry.

A spokesperson for Iran’s gas stations association told the news agency that the main cause of the disruption was a software issue and the experts are working to patch it. There is no fuel shortage reported, but drivers are advised not to go to the fuel stations yet. The situation in the cyber landscape continues to get worse as hundreds of pro-Israel and pro-Palestine groups are performing various cyberattacks. It shows that the critical infrastructure in the Middle East is at a major risk of being targeted by cyberattacks that can disrupt operations.

Impact

• Operational Disruption
• Reputational Damage
• Financial Loss

Remediation

• Manufacturers of industrial control systems and operational technology must prioritize cybersecurity by enhancing device security before deployment and assisting clients in configuring and securing deployed devices
• Leading manufacturers are advised to adopt innovative approaches, such as secure-by-design principles, leveraging data for improved security, and implementing programs for swift detection of misconfigurations or exposed systems, to strengthen the security of their devices and protect their customers.
• Identify and address any vulnerabilities or weaknesses that the attackers may have exploited. Apply patches and updates to software, operating systems, and applications to strengthen the security posture.
• Develop and update a comprehensive incident response plan that outlines roles, responsibilities, and steps to take in the event of a cyberattack. Regularly test and update the plan.
• Implement continuous monitoring of network traffic and system logs to detect any suspicious activity and respond promptly to emerging threats.
• Strengthen security measures for third-party vendors and partners to prevent potential entry points for attackers.
• Develop a long-term cybersecurity strategy that includes regular security assessments, training, and updates to stay ahead of evolving threats.