Cyber Incident Victim: Iranian Civil Defense Agency
Date:
Dec 2023
Location:
Iran
Summary
A cyberattack attributed to the Gonjeshke Darande group disrupted fuel services at approximately 70% of Iran's petrol stations, necessitating manual operations and prompting an investigation by national cybersecurity authorities. The attackers claimed the strike was a controlled response to Iran's regional activities, avoiding emergency service disruptions while referencing prior operations against railways and steel facilities. This incident aligns with historical cyber disruptions targeting subsidized fuel systems and broader regional tensions, including reciprocal accusations between Iranian and Israeli entities over infrastructure attacks. The group previously linked its actions to geopolitical conflicts involving Hamas and threatened further multi-domain retaliation against perceived threats.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On December 18, 2023, a cyberattack disrupted operations at approximately 70% of Iran’s 3,800 government-supervised petrol stations, according to statements by Iranian Oil Minister Javad Owji. The incident began in the early hours of the day, with particularly severe impacts reported in Tehran, where many stations resorted to manual operations to dispense fuel. Initial statements from Reza Navar, spokesperson for Iran’s petrol stations association, described the issue as a software problem affecting the fuel system, though he emphasized no fuel shortages existed and urged drivers to avoid stations. Owji later confirmed the disruption stemmed from a cyberattack, revising the operational station count to 1,650 after recovery efforts. The hacker group Gonjeshke Darande, also known as Predatory Sparrow, claimed responsibility via a Telegram statement, asserting the attack was executed in a controlled manner to prevent harm to emergency services. The group framed the attack as retaliation for Iran’s regional aggression and proxy activities, echoing prior warnings made to Reuters five days after the October 7 Hamas attack on Israel, in which they threatened disproportionate cyber and multi-domain responses to Iranian proxies.
Iran’s Civil Defense Agency, responsible for cybersecurity, stated it was investigating all possible causes without immediately confirming the cyberattack attribution. State media noted Predatory Sparrow’s history of targeting Iranian infrastructure, including prior cyberattacks on petrol stations, railways, and steel factories—the latter accompanied by a video showing a factory explosion allegedly caused by their intrusion. The oil ministry dismissed speculation linking the disruption to fuel price increases, a sensitive topic following deadly 2019 protests. Manual fuel distribution and technical repairs restored services to over 50% of stations during the incident. Concurrently, Israel’s Cyber Unit disclosed an unrelated attempted cyberattack by Iran and Hezbollah on a northern Israeli hospital three weeks earlier, which partially compromised medical data but was largely thwarted. The petrol station attack mirrored a 2021 Iranian fuel sales disruption attributed by Tehran to U.S. and Israeli actors, underscoring ongoing cyber hostilities between the adversaries.