A major cyberattack has hit the Iranian steel industry today, with hackers claiming to have taken control of systems at three state-owned companies. The incident may be the latest salvo in the escalating cyberwar between Iran and Israel.
Khuzestan Steel Company confirmed on Monday morning that it had closed its plant “until further notice” due to technical issues caused by a cyber incident. Hacking gang Gonjeshke Darande, which has previously carried out attacks on Iranian infrastructure which have been linked to Israel, subsequently posted a video on Twitter, stating that it had hacked Khuzestan as well as two other steel businesses – the Moborakeh Steel Company and the Hormozgan Steel Company.
The video contains footage which purports to show the hacking group taking control of machinery inside one of the plants.
Gonjeshke Darande also posted screenshots which appear to be from inside the systems of the companies it has hacked.
Iran steel industry cyberattack: why did Gonjeshke Darande strike?
In its video, Gonjeshke Darande says: “These companies are subject to international sanctions but continue their operations despite the restrictions.” It adds: “These cyberattacks, being carried out carefully to protect innocent individuals, are in response to the aggression of the Islamic Republic.
Khuzestan CEO Amin Ebrahimi told local reporters that the attack on his company was thwarted in time to prevent structural damage to production lines, so supply chains and customers would not be impacted. “Fortunately with time and awareness, the attack was unsuccessful,” he told the Mehr news agency, adding that the business hoped to resume operation by the end of Monday. At the time of writing, however, its website is still down.
Iranian infrastructure targeted in cyberwar with Israel
The steel industry attacks are the latest to hit Iranian infrastructure in recent months as cyber tensions with Israel increase. Last year the New York Times reported that both countries were investing in their cyber capabilities to enable them to hit a broader range of targets, including civilians.
In October, petrol stations across Iran were disrupted by a cyberattack that US officials attributed to Israel. Screens on petrol pumps displayed the message cyberattack along with 64411, the phone number of the Office of Iran’s Supreme Leader, Ali Khamenei. Gonjeshke Darande subsequently claimed responsibility for this breach.
A similar attack had taken place on the country’s rail network in July, bringing trains to a standstill, with display screens also showing the Supreme Leader’s number and instructing passengers to direct their complaints his way. Researchers at security company SentinalLabs were able to reconstruct how this attack took place, and said the hackers behind it deployed a wiper software, Meteor, as part of the breach.
Meanwhile, hackers linked to Iran have been attacking targets in Israel. Last week, Tech Monitor reported that missile attack warning sirens were activated in two Israeli cities, Jerusalem and Eilat, and rang for almost an hour. The Israeli Defence Force reassured civilians that the sirens were a false alarm, which it initially attributed to a ‘malfunction’, but later said they sounded as the result of a cyberattack.
Israeli security company Check Point has also recently highlighted a spearphishing operation by Iranian hackers that targeted high-ranking Israeli officials, including former foreign minister Tzipi Livni, while in April, the Israel Airport Authority’s website was taken offline by a distributed denial of service attack by the Altharea Team, a group “suspected to be operated by Iran, or Iraqis that support Iran”.
Iran-linked cyberattacks have also struck UK-based targets. Last month, the Port of London Authority’s website was taken down by a denial of service attack by Altharea Team.
Homepage image: davit85/istock