Predatory Sparrow is distinguished most of all by its apparent interest in sending a specific geopolitical message with its attacks, says Juan Andres Guerrero-Saade, an analyst at cybersecurity firm SentinelOne who has tracked the group for years. Those messages are all variations on a theme: If you attack Israel or its allies, we have the ability to deeply disrupt your civilization. “They’re showing that they can reach out and touch Iran in meaningful ways,” Guerrero-Saade says. “They’re saying, ‘You can prop up the Houthis and Hamas and Hezbollah in these proxy wars. But we, Predatory Sparrow, can dismantle your country piece by piece without having to move from where we are.’”
Here’s a brief history of Predatory’s short but distinguished track record of hyper-disruptive cyberattacks.
2021: Train Chaos
In early July of 2021, computers showing schedules across Iran’s national railway system began to display messages in Farsi declaring the message “long delay because of cyberattack,” or simply “canceled,” along with the phone number of the office of Iran’s Supreme Leader Ali Khamenei, as if to suggest that Iranians call the number for updates or to complain. SentinelOne’s Guerrero-Saade analyzed the malware used in the attack, which he dubbed Meteor Express, and found that the hackers had deployed a three-stage wiping program that destroyed computers’ file systems, locked out users, and then wiped the master boot record that machines use to locate their operating system when they start up. Iran’s Fars radio station reported that the result of the cyberattack was “unprecedented chaos,” but it later deleted that statement.
Around the same time, computers across the network of Iran’s Ministry of Roads and Urban Development were hit with the wiper tool, too. Analysis of the wiper malware by Israeli security firm CheckPoint revealed that the hackers had likely used different versions of the same tools years earlier while breaking into Iran-linked targets in Syria, in those cases under the guise of a hacker group named for the Hindu god of storms, Indra.
“Our goal of this cyber attack while maintaining the safety of our countrymen is to express our disgust with the abuse and cruelty that the government ministries and organizations allow to the nation,” Predatory Sparrow wrote in a post in Farsi on its Telegram channel, suggesting that it was posing as an Iranian hacktivist group as it claimed credit for the attacks.
2021: Gas Station Paralysis
Just a few months later, on October 26, 2021, Predatory Sparrow struck again. This time, it targeted point-of-sale systems at more than 4,000 gas stations across Iran—the majority of all fuel pumps in the country—taking down the system used to accept payment by gasoline subsidy cards distributed to Iranian citizens. Hamid Kashfi, an Iranian emigré and founder of the cybersecurity firm DarkCell, analyzed the attack but only published his detailed findings last month. He notes that the attack’s timing came exactly two years after the Iranian government attempted to reduce fuel subsidies, triggering riots across the country. Echoing the railway attack, the hackers displayed a message on fuel pump screens with the Supreme Leader’s phone number, as if to blame Iran’s government for this gas disruption, too. “If you look at it from a holistic view, it looks like an attempt to trigger riots again in the country,” Kashfi says, “to increase the gap between the government and the people and cause more tension.”
The attack immediately led to long lines at gas stations across Iran that lasted days. But Kashfi argues that the gas station attack, despite its enormous effects, represents one where Predatory Sparrow demonstrated actual restraint. He inferred, based on detailed data uploaded by Iranian incident responders to the malware repository VirusTotal, that the hackers had enough access to the gas stations’ payment infrastructure to have destroyed the entire system, forcing manual reinstallation of software at gas stations or even reissuing of subsidy cards. Instead, they merely wiped the point-of-sale systems in a way that would allow relatively quick recovery.