Cyberattack Shuts Down 70% of Iran’s Gas Stations, Israel Suspected
Alleged Israel-linked group takes credit. Targeting fuel stations through some vulnerability in the management software and then playing with it takes “a rare expertise among private sector hackers. [It’s] more relevant to governments.”
Nearly 70% of Iran’s 33,000 gas stations were taken out of service on Monday in an alleged cyberattack, and the reportedly Israel-linked hacker group, Predatory Sparrow (“Gonjeshke Darande” in Persian) has taken credit.
This cyberattack comes in response to the aggression of the Islamic Republic and its proxies in the region. [Supreme Leader Ayatollah Ali] Khamenei, playing with fire has a price.
In its social network channels, Predatory Sparrow said it took “out a majority of the gas pumps throughout Iran. This cyberattack comes in response to the aggression of the Islamic Republic and its proxies in the region. [Supreme Leader Ayatollah Ali] Khamenei, playing with fire has a price.”
Additionally, the hacking group shared screenshots of individual gas station information, payment system details, and the gas station management system from the stations’ central servers; reportedly taken from the gas stations’ networks.
The shutdown has been reported across the country, but especially in the capital of Tehran where it’s reportedly impossible to find fuel anywhere. Further, there are also reports of disruptions to the traffic light system in Tehran, although Predatory Sparrow doesn’t mention this in their admission.
Iranian state TV channels like Press TV and the Tasnim news agency downplayed reports of infiltration, characterizing the apparent attack as a “disruption” caused by software problems, and asking motorists to avoid heading to the pumps until further notice, to prevent long lines at the few remaining operational stations.
Iranian state TV also quotes the Iranian Oil Ministry as looking at the glass as half-full, saying “more than 30% of gas stations remain in service.”
Though “a similar countrywide technical failure occurred in 2021 that shut down a government system managing fuel subsidies in Iran,” continues Tasnim, and “the Civil Defense Organization of Iran said the Americans and Zionists” were behind the crash.
Predatory Sparrow likewise claimed responsibility for the apparent attack in 2021, as well as for attacks on Iran’s steel industry in 2022—in which factory networks were overloaded to the point of catching fire, and top-secret documents as well as tens of thousands of emails allegedly exposing companies’ practices and ties to Iran’s Islamic Revolutionary Guard Corps were leaked.
Security camera footage from inside an Iranian steel company. (@Darandegonjeshk on X)
Speculations Abound
Israel is largely thought to be behind the attack, suspected of employing the Predatory Sparrow as a proxy group for state-sanctioned actions.
Such state-sponsored proxy cyberwarfare is hardly exceptional, says Israeli cyber expert Lt. Col. (res.) Itai Yonat. Yonat is CEO and co-founder of Intercept 9500 Ltd., which specializes in countering “soft” warfare like cyberattacks. He tells The Media Line that “the Iranians are doing it a lot” themselves.
In the last study, his company conducted, Intercept 9500 found “30 to 40 different groups running attacks [against Israel] on behalf of Iranian proxies.”
Eli Zilberman Caspi, a co-founder and the COO of Konfidas, a cybersecurity and crisis management company, says the same thing—that governments often use proxy groups to achieve goals or some sort of impact in the field without having to take direct responsibility for the blowback.
Eli Zilberman Caspi, co-founder and COO of cybersecurity and crisis management company Konfidas. (Courtesy)
At a minimum, then, even if Predatory Sparrow is acting independently, the hacker group is believed to be composed of Israelis with Israeli expertise and capability.
“Looking at this operation, it needs more intelligence,” says Yonat. While acknowledging that the blame could certainly lie with independent actors, Yonat says that private hackers typically “search for things that they know that they can hack” like Windows computers that haven’t been updated. But targeting fuel stations through some vulnerability in the management software and then playing with it takes “a rare expertise among private sector hackers. [It’s] more relevant to governments.”
Adding to speculation of Israeli involvement is the fact that the attack sends a warning to Iran, as Iran is the state sponsor behind Hamas, Hizbullah, the Houthis, and other proxy terror groups that are in conflict with Israel.
Iran expert at the Ezri Center for Iran & Persian Gulf Studies of Haifa University, Dr. Thamar Eilam Gindin tells The Media Line that “when we’re talking about October 7, everybody says Iran is behind it. The Iranian Republic denies this, but they don’t deny that they gave Hamas training, money, equipment, infrastructure, and everything.”
Dr. Thamar Eilam Gindin, Iran expert at the Ezri Center for Iran & Persian Gulf Studies of Haifa University. (Courtesy)
“The Houthis are blocking the straits,” for example, says Yonat, so “you might want to signal to Iran that they’re not getting out of it [blame-free] just because they’re hiding behind the whole thing.”
Also, at the same time as the attack in Iran, the Israeli cyber system chose to reveal that Iran and Hizbullah carried out a cyberattack on the Ziv Hospital in Safed three weeks ago.
Another reason many attribute the gas-pump attack to Israel is that while it embarrasses Iran—sewing doubts among the public regarding Iran’s ability to function—it also explicitly avoided “civilian casualties.”
We delivered warnings to emergency services across the country before the operation began, and ensured a portion of the gas stations across the country were left unharmed
Just as they wrote after their previous operations in 2021 and 2022, Predatory Sparrow says, “This cyberattack was conducted in a controlled manner while taking measures to limit potential damage to emergency services. We delivered warnings to emergency services across the country before the operation began, and ensured a portion of the gas stations across the country were left unharmed for the same reason, despite our access and capability to completely disrupt their operation.”
“I think this is Israel’s most significant fingerprint,” says Eilam Gindin, who compares the warning to ‘roof-knocker’ bombs used by Israel’s air force to warn civilians to evacuate a target location. “What other country warns the enemy [country’s] civilians before attacking?” she adds.
More importantly, support for Israel is strong among a majority of the Iranian public, which also harbors contempt for the regime. Therefore, it would be counterproductive for Israel to hurt them. “The Iranian people and the Islamic Republic are enemies of one another. So if you hurt the Islamic Republic, you do it for the people,” explains Eilam Gindin. And “if you want to target the Islamic Republic without hurting the people, you have to let them know in advance.”
The Iranians are nationalists and they like their country; and they don’t like it when people from outside play with their mind, even if they’re against the regime
In any case, whether the attack is state-sanctioned by Israel or not, Yonat says he doesn’t think the tactic has the intended payoff. The attack “theoretically installs the feeling of vulnerability, [in that] people from outside Iran can do whatever they want and the government can’t do anything because it’s impotent, or not skilled enough, or whatever. Personally, in my experience, it doesn’t work. The Iranians are nationalists and they like their country; and they don’t like it when people from outside play with their mind, even if they’re against the regime.”
In many cases, adds Zilberman Caspi, these attacks may even improve the cyber resilience of the [country] being attacked, “because next time, it will be more prepared. This is the reason Israel is more and more prepared and in good standing to resist cyberattacks … because Israel is all the time being attacked by Iranians and Iranian proxies.”
Zilberman Caspi explains that since the start of the Israel-Hamas war, there has been a 50% increase in “wiper activities” whose aim is to inflict as much damage as possible and a 20% increase in ransomware attacks—where pro-Iran or Iran proxy groups try to do the job and make a financial profit at the same time “to kill two birds with one stone.”
But even before October 7, “we had 200 Iranian attacks in Israel per month,” he says.
