Cyber Incident Victim: National Iranian Oil Products Distribution Company
Date:
Oct 2021
Location:
Iran
Summary
A cyberattack disrupted operations across the National Iranian Oil Products Distribution Company's nationwide network of gas stations, causing widespread outages and leaving customers without fuel. The incident triggered secondary compromises of digital billboards displaying protest messages demanding accountability for fuel shortages. Attackers targeted subsidized fuel distribution systems, displaying a 'cyberattack 64411' error on payment devices when customers attempted to use government-issued cards. Authorities confirmed the attack and attributed it to state-sponsored actors, though no specific nation was identified. The disruption caused significant operational paralysis, with stations remaining non-functional for extended periods and creating long queues of stranded motorists.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On October 26, 2021, gas stations operated by Iran’s National Iranian Oil Products Distribution Company (NIOPDC) experienced widespread operational disruptions due to a cyberattack targeting the organization’s fuel distribution network. The attack rendered over 3,500 stations across the country unable to dispense fuel, leaving drivers stranded for hours and causing significant public inconvenience. Customers attempting to purchase subsidized fuel at the government-set rate of 5 cents per liter using state-issued cards encountered a message reading "cyberattack 64411" on station machines, though the significance of this code remained unclear. Concurrently, electronic road billboards in multiple Iranian cities were hacked to display political messages such as "Khamenei! Where's our fuel?" and "Free fuel in Jamaran station," amplifying public attention to the incident. Initial local media reports attributed the outages to technical malfunctions before Iranian authorities confirmed a cyberattack. The disruption paralyzed a critical national infrastructure entity that had supplied oil products for over 80 years, highlighting vulnerabilities in systems managing fuel subsidies and distribution logistics.
Iran’s state television formally acknowledged the cyberattack following the widespread outages, while the Supreme Council of Cyberspace indicated preliminary assessments suggested state-sponsored involvement, though no specific nation or group was publicly named. Government officials attributed the incident to a "hostile country" without providing evidence. The attack’s focus on disrupting subsidized fuel access—a system reliant on government-issued payment cards—revealed a precision targeting of socioeconomic mechanisms. Cybersecurity researchers noted parallels to a prior July 2021 incident where Iran’s train system was compromised by Meteor, a novel file-wiping malware, though no direct link between the two attacks was confirmed. Investigation efforts centered on determining the intrusion vector and scope of network compromise, while authorities worked to restore fuel distribution services amid public frustration. The incident underscored operational and security challenges within Iran’s energy infrastructure, with immediate consequences including economic disruption, political messaging through hijacked billboards, and reliance on manual processes during recovery. No definitive attribution or detailed technical analysis of the attack methodology was disclosed publicly by the investigation’s initial phase.