#0325

Predatory Sparrow

The Hacktivist Group

Predatory Sparrow

"this could be hugely significant"

Known by its Persian name, Gonjeshke Darande, Predatory Sparrow is one of many shadowy hackivist groups that inhabit the digital world. However, this group would garner considerable exposure over an act they committed in June 2022.

In a rare occurance, the group claimed responsibility for a cyber-attack that caused real-world damage, against an Iranian steel-makers. Whomever is behind the troubling escalation of cyber-attacks to the real-world, it is obvious they have a strong and negative interest in Iran.

Rogue Hackers

On June 27, 2022, a video containing CCTV footage was released by Iran of an incident that occurred at a steel-makers. The grainy footage shows factory workers leaving part of the plant before a machine starts spewing molten steel and fire. Towards the end of video people can be seen pouring water on the fire with hoses.

Surprisingly, the Islamist country claimed that a cyber-attack had caused the damage, and released the video to back up its story. Later, a hacking group called Predatory Sparrow said it was behind the attack.

In another video that surfaced online, of the same incident, staff at the Iranian factory can be heard shouting for firefighters to be called and describing damage to equipment. This attack is seen as both significant and deeply troubling.

Predatory Sparrow, or Gonjeshke Darande as it is known by its Persian name, claim this attack was one of three it carried out against Iranian steel makers on the same day, June 27th. The group announced it was in response to unspecified acts of “aggression” carried out by the Islamic Republic.

The group has also begun to share gigabytes of data it claims to have stolen from the companies, including confidential emails. The group known as Predatory Sparrow has a Telegram channel, Twitter account and even a logo

On its Telegram page, Predatory Sparrow posted a message: “These companies are subject to international sanctions and continue their operations despite the restrictions. These cyber-attacks, being carried out carefully to protect innocent individuals.”

It was the last sentence of this message that proved significant for the cyber-security world. It was clear the attackers knew that their actions were potentially putting lives in danger.

However, it does seem they attempted to ensure the factory floor was empty before they launched their attack, as well as making sure the relevant authorities knew the precautions they had taken.

This has led many to ponder whether Predatory Sparrow is a professional and highly trained team of state-sponsored military hackers, who may even be obliged to carry out risk assessments by their government before they launch an operation.

Recently, Iran has been the victim of a spate of cyber-attacks that have had an impact in the real world but nothing as serious as this latest assault. The question of whether Predatory Sparrow is a rogue group or part of a state security unit is the most puzzling.

Itay Cohen, head of cyber research at Check Point Software said, “They claim themselves to be a group of hacktivists, but given their sophistication, and their high impact, we believe that the group is either operated, or sponsored by, a nation state.”

“If this does turn out to be a state sponsored cyber-attack causing physical – or in the war studies jargon ‘kinetic’ damage – this could be hugely significant,” says Emily Taylor, Editor of the Cyber Policy Journal.

“Historically the Stuxnet attack on Iran’s uranium enrichment facilities in 2010, has been highlighted as one of the few – if not the only known – example of a cyber-attack causing physical damage.”

Real-World Damage

A computer virus, Stuxnet was first discovered in 2010 and was used to damaged or destroyed centrifuges at Iran’s uranium enrichment facility in Natanz, hampering its nuclear programme. Natanz is heavily protected, with the sensitive machinery housed deep underground. Since then there have been very few confirmed cases of physical damage.

The only one of any significance occurred in Germany in 2014, when a cyber-attack caused “massive damage” to a steel factory, causing an emergency shutdown, but apart from this no further details have ever been given.

There have been other cyber-attacks that could have caused serious damage but so far none have succeeded. One example is when hackers have tried but failed to add chemicals to the water supply by taking control of water treatment facilities.

Cyber attacks more commonly cause disruption, to transport networks for example, rather than causing any real physical damage. This is a significant distinction, because if is it proven that a state caused physical damage, it may have violated international laws.

This would only provide Iran with legal justification to retaliate. So this begs the question, if Predatory Sparrow some kind of state-sponsored military hacking group, then which country does it represent.

The fact that it has only orchestrated attacks again Iran, coupled with the name used by the group, which is a play on the name of the Iranian cyber-warfare group, Charming Kitten, might suggest that the aggressor country harbours a strong interest in Iran.

The Stuxnet virus is widely believed to have been carried out by Israel, with the backing of the United States. The rumours of Israel’s involvement with Predatory Sparrow have grown loud enough to elicit a response from the Israeli government.

Defence Minister Benny Gantz has, according to Israeli media reports, ordered an investigation into leaks that led to Israeli journalists reporting that Israel is behind the real world attack, concerned that Israel’s “ambiguity policy” on its operations against Iran might have been broken.

Ersin Cahmutoglu from ADEO Cyber Security Services in Ankara has said, “If this cyber-attack is state-sponsored then of course Israel is the prime suspect. Iran and Israel are in a cyber-war, and officially both states acknowledge this.”