Cyber Incident Victim: Iran
Date:
Dec 2023
Location:
Iran
Summary
A cyberattack claimed by Gonjeshke Darande disrupted petrol stations nationwide, causing operational issues and forcing many to operate manually. The group, which Iran accuses of links to Israel, stated the attack targeted infrastructure in response to regional aggression while claiming controlled execution to avoid emergency service impacts. Approximately 70% of stations were initially affected, with services later restored to nearly half. The same actors previously targeted rail networks and steel factories, including causing an explosion via cyber means. Authorities investigated the disruption, confirming no fuel shortage, while regional cyber hostilities persist with mutual accusations between involved parties.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On December 18, 2023, a cyberattack disrupted operations at approximately 70% of Iran’s 3,800 government-supervised petrol stations, causing widespread service interruptions. Iran’s Oil Minister Javad Owji initially cited outside interference as a possible cause before confirming the incident as a cyberattack. The disruption began early in the day, with Tehran experiencing particularly severe impacts, forcing many stations to operate manually. A hacking group known as Gonjeshke Darande (Predatory Sparrow), which Iran alleges has ties to Israel, claimed responsibility via a Telegram statement. The group asserted the attack was a controlled operation designed to avoid damaging emergency services and framed it as retaliation for Iran’s regional aggression and support of proxies. By the end of the day, 1,650 stations had resumed operations, though full restoration efforts continued. Iran’s civil defence agency, responsible for cybersecurity, stated it was investigating all potential causes, while Reza Navar, spokesperson for Iran’s petrol stations association, confirmed a software-related issue but emphasized no fuel shortages existed. The oil ministry explicitly denied any connection to planned fuel price increases, a sensitive topic due to violent protests over such measures in 2019.
Predatory Sparrow has a documented history of targeting Iranian infrastructure, including prior cyberattacks on petrol stations, rail networks, and steel factories. In 2022, the group released video evidence of an explosion at a steel plant it attributed to a hack. Five days after the October 7, 2023, Hamas attack on Israel, a group representative told Reuters that future Iranian operations were planned in response to Iran’s support for Hamas, warning of "permanent and unimaginable damage" via multi-domain attacks if Iranian proxies escalated hostilities. The December 18 fuel system disruption mirrored a 2021 Iranian fuel sale cyberattack, which Iran blamed on Israel and the United States. Concurrently, Israel’s Cyber Unit disclosed that Iran and Hezbollah had attempted a cyberattack on a northern Israeli hospital three weeks earlier, which was partially successful in exfiltrating sensitive data before being thwarted. Iranian state media reported ongoing manual fuel distribution and technical efforts to restore systems, with over 50% of stations operational by the time of reporting.