Cyber Incident Victim: Iranian Civil Defense Agency

On June 27, 2022, Iran’s steel industry was targeted in a cyberattack affecting production facilities in southern Iran. The incident occurred on Monday morning, with the Fars news agency reporting disruptions based on information from Iran’s National Cyber Center. The attackers were identified as "foreign enemies," though no specific nation or entity was formally attributed in the initial reports. A hacker group named Gonjeshk’e Darandeh (translated as "Killer Sparrow") publicly claimed responsibility for the attack. The group had previously asserted involvement in prior cyber operations against Iranian IT systems, though these claims remained unverified. The attack caused temporary disruptions to production operations, though Iranian authorities stated the intrusion was ultimately repelled. No technical details regarding the attack vector, malware, or data exfiltration were disclosed in available reports.

This incident followed a series of cyberattacks against Iranian entities in preceding months, including nuclear facilities in Natanz and Karaj, Tehran’s Evin Prison, and the Tehran municipal government. Iranian officials consistently attributed these attacks to Israel, characterizing them as actions by a hostile state actor. The National Cyber Center’s acknowledgment of the steel industry attack underscored ongoing vulnerabilities in critical infrastructure sectors. While the operational impact was limited to temporary production interruptions, the targeting of heavy industry signaled an escalation in adversary focus beyond traditional government or nuclear targets. Iranian civil defense authorities did not disclose specific remediation steps taken during or after the incident beyond the general assertion of having neutralized the threat.