Is this the sequel to Stuxnet? A cyberattack this week has put Iranian steel manufacturing in the crosshairs.
A hacking group by the name of Gonjeshke Darande (Farsi for Predatory Sparrow) hit the networks of three of Iran's largest steel companies: Khouzestan Steel, Hormozgan Steel, and Mobarakeh Steel.
The group announced its attack on June 26th in a tweet, with video footage from inside a steel manufacturing plant showing the explosive kinetic consequences.
The AP reported that the equipment shown is that of Khouzestan Steel, which had to shut down operations due to technical failure. The two other targeted companies did not report any operational disruptions as a result of the cyberattack.
Text in the video claimed this as the motive:
"These companies are subject to international sanctions and continue their operations despite the restrictions. These cyberattacks, being carried out carefully so to protect innocent individuals, are in response to the aggression of the Islamic Republic."
In January 2020, the U.S Treasury's Office of Foreign Assets Control sanctioned the three steel manufacturers. The hacking group claims these companies are affiliated with the Islamic Revolutionary Guard Corps (IRGC) and Basij, a paramilitary volunteer militia established by Ayatollah Khomeini.
Security researchers from Check Point documented their findings on the incident. Their analysis identified the malware as a variant of the Meteor data-wiping malware that targeted Iran's national railway system and government in 2021.
Gonjeshke Darande posted screen grabs of an OT control panel of one of the targeted facilities, indicating they may have been successful in seizing control of the industrial equipment.
According to Certfa Lab, a nonprofit specializing in Iranian cybersecurity and privacy matters, the software interface shown was that of Irisa Company, a vendor providing network and industrial infrastructure services.