Cyber Incident Victim: Khouzestan Steel Company
Date:
Jun 2022
Location:
Iran
Summary
A cyberattack forced Khouzestan Steel Company, an Iranian state-owned entity under sanctions, to halt production. The Gonjeshke Darande hacking group claimed responsibility, releasing video footage depicting machinery disruption and images of compromised HMIs and network diagrams. The attackers also breached the plant's CCTV systems, enabling them to monitor and validate physical effects while exfiltrating footage. Analysts noted the intrusion vector remains unknown but highlighted common OT vulnerabilities like insufficient network segmentation, outdated systems, and lack of intrusion detection facilitating lateral movement. The incident demonstrated production disruption and system compromise.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On June 27, 2022, Khouzestan Steel Company, an Iranian state-owned entity under U.S. sanctions, experienced a cyberattack that forced it to halt production. The company publicly attributed the production stoppage to "technical problems" resulting directly from these cyberattacks, though it did not identify any specific group responsible for the incident. This attack represented a significant disruption to Iran's strategic industrial sector. Shortly after the incident, the hacking group Gonjeshke Darande claimed responsibility via Twitter, asserting they had compromised Khouzestan Steel Company along with two other steel plants. As evidence, Gonjeshke Darande published a video depicting a machine explosion within the plant, images of the compromised Human-Machine Interface (HMI), and a picture of the plant's internal network diagram. The group had previously claimed attacks on other Iranian infrastructure targets.
The published video footage suggested the attackers achieved specific physical effects within the plant, implying a degree of operational control. The attackers also breached the plant's CCTV systems, gaining full control over the cameras. This CCTV compromise served multiple purposes: allowing the attackers to visually validate and monitor the physical consequences of their actions on the industrial processes, facilitating the exfiltration of video footage, and providing material to publicly demonstrate the attack's success and highlight vulnerabilities in both operational technology (OT) and physical security systems. Experts analyzing the incident noted that the precise intrusion vector used to gain initial access remained unidentified. They emphasized common vulnerabilities contributing to such attacks, including insufficient segmentation between OT networks and connected IT environments, outdated or unpatched operating systems on OT servers and workstations within SCADA and DCS environments, and a lack of intrusion detection systems capable of identifying early signs of suspicious activity. These factors were assessed as enabling relatively easy lateral movement for attackers within the plant network once access was gained. The network diagram published by Gonjeshke Darande underscored the critical role that detailed knowledge of network connectivity and its vulnerabilities plays in both executing attacks and mounting defenses. Khouzestan Steel Company stated production would remain stopped until further notice due to the attack's impact.