Predatory Sparrow’s most distinctive feature is that it clearly has an interest in sending a specific geopolitical message with its attacks, said Juan Andres Guerrero, an analyst at cybersecurity firm SentinelOne who has tracked the group for years. Saade says. All of these messages are variations on a theme. That means if you attack Israel or its allies, we have the ability to deeply disrupt your civilization. “They are showing that they can reach out and reach out to Iran in a meaningful way,” Guerrero-Saad said. “They say, ‘We can support the Houthis and Hamas and Hezbollah in these proxy wars.’ But we, the Predatory Sparrows, can dismantle your country piece by piece without moving from where we are.” I can.”
Here’s a quick look at Predatory’s short but impressive track record of ultra-destructive cyberattacks.
2021: Train Chaos
In early July 2021, computers displaying timetables for the entire Iranian national railway system were shown with the phone number of Iran’s Supreme Leader Ali’s office, declaring either “significant delays due to a cyberattack” or simply “cancelled.” Messages in Persian began to appear. Khamenei appears to be suggesting that Iranians call this number for updates or complaints. SentinelOne’s Guerrero Third analyzed the malware It was used in an attack he dubbed “Meteor Express,” in which hackers corrupted a computer’s file system, locked out the user, and then erased the master boot record that the machine uses to find its operating system. It was revealed that a three-stage erasure program had been deployed. when they start.fars radio station in iran report It said the result of the cyberattack was “unprecedented chaos,” but later deleted that statement.
Around the same time, computers on the network of Iran’s Ministry of Roads and Urban Development were also affected by the wiper tool. Analysis of the Wiper malware by Israeli security firm Checkpoint revealed that the hackers were likely using a different version of the same tool several years ago. Infiltrated Iranian-related targets in Syriain those cases, under the guise of a hacker group named after the Hindu storm god Indra.
“Our purpose in carrying out this cyber attack while maintaining the safety of our fellow citizens is to express our disgust at the abuses and brutality that government departments and organizations allow to our citizens,” Predatory Sparrow said in Farsi. I mentioned it in the post. telegram channelclaimed credit for the attack and suggested it was posing as an Iranian hacktivist group.
2021: Gas station paralysis
Just a few months later, on October 26, 2021, Predatory Sparrow struck again. This time, it targeted the point-of-sale systems of more than 4,000 gas stations across Iran (the majority of all fuel pumps in the country), disrupting their ability to accept payments using gasoline subsidy cards distributed to Iranian citizens. Hamid Kashfi, an Iranian immigrant and founder of the cybersecurity firm Dark Cell, analyzed the attack but only published his opinion. detailed findings last month. He noted that the timing of the attack came just two years after the Iranian government tried to provoke riots across the country in an attempt to cut fuel subsidies. Mirroring the railway attack, the hackers displayed a message with the supreme leader’s phone number on the fuel pump screen, making it appear as if the Iranian government was also to blame for the gas supply disruption. “From an overall perspective, this looks like an attempt to stir up violence again in the country, widen the gap between the government and the people, and cause further tensions,” Kashfi said.
The attack quickly led to long lines at gas stations across Iran that lasted for several days. But Kashfi argues that the gas station attack was an incident in which the Predatory Sparrow showed real restraint, despite its devastating consequences. Based on detailed data uploaded by Iranian incident responders to the malware repository VirusTotal, he said hackers gained access to the gas station’s payment infrastructure, destroyed the entire system, and manually reinstalled the software at the gas station. I assumed they had enough access to do it or even republish it. subsidy card. Instead, he simply wiped the POS system in a way that allowed for a relatively quick recovery.