On December 18th ^[1], Reuters reported that the hacker organization Predatory Sparrow, linked to Israel and also known as Gonjeshke Darande and Indra, launched an attack on Iranian gas stations on Monday, resulting in approximately 70% of Iran's gas station services being disrupted.

In a statement on their Telegram channel ^[2], the group claimed that "this cyber attack was carried out in a controlled manner to avoid potential harm to emergency services" and declared it as a "response to the aggressive actions of the Islamic Republic and its proxies in the region."

The attackers operate a Twitter account created in December 2023 ^[3]

They have shared the following information:

• Details of various gas stations
• Payment system details
• Additional images captured within their network
• Access to gas station management systems from each station's central server

Historical Attacks Associated with the Organization

Against the Iranian Railway Company

The organization, operating under the nickname Indra on various platforms such as Twitter, Facebook, Telegram, and YouTube, has a political ideology, targets specific entities, and openly discloses its responsibility for attacks through messages and online status. Their posts, mostly in English and non-native Arabic, express opposition to collaboration between companies and the Iranian regime, particularly with the Holy City Brigade and Hezbollah.

The organization, operating under the nickname Indra on various platforms such as Twitter, Facebook, Telegram, and YouTube, has a political ideology, targets specific entities, and openly discloses its responsibility for attacks through messages and online status.

Their posts, mostly in English and non-native Arabic, express opposition to collaboration between companies and the Iranian regime, particularly with the Holy City Brigade and Hezbollah.

Background images used for attacks on Alfadelex, Katerji, and Arfada also appear in cover photos on Indra's Twitter and Facebook accounts. The image below shows the wallpaper set on a victim's machine, with text admitting responsibility for the attack.

On July 10, 2021, the website of the Iranian Ministry of Roads and Urbanization reported ^[5] the cessation of services after another "network interruption." Iranian social media circulated ^[6]a photo of a monitor from a compromised computer, and the attackers claimed responsibility for the consecutive attacks.

A few days later, the Iranian cybersecurity company Amnpardaz Software ^[7] released a brief technical analysis of the alleged malicious software related to these attacks, known as Trojan.Win32.BreakWin. During this period, SentinelOne also published a relevant report ^[8]based on Amnpardaz's analysis. CheckPoint's researchers conducted an analysis based on the information obtained, and the following is a process diagram:

The attack commenced with the utilization of group policies through Active Directory, pushing scheduled tasks to all computers. The task's name mimicked the legitimate Windows Power Efficiency Diagnostics Report tool to avoid suspicion. Subsequently, the attack involved target (specific values related to the Iranian Passenger Information System (PIS)) filtering, malicious file downloads, tool extraction, network disconnection, antivirus checks, startup corruption, trace removal (primarily logs), and the execution of the main payload. The attackers developed and deployed at least three different versions of erasers in the victim's network, named Meteor, Stardust, and Comet.

Against Syrian Companies such as Katerji, Arfada, Alfadelex

The aforementioned CheckPoint report also summarized the organization's attack activities before 2021:

• September 2019: Attack against Alfadelex Trading, a currency exchange and remittance services company in Syria.
• January 2020: Attack against Cham Wings Airlines, a private airline in Syria.
• February and April 2020: Compromise of the network infrastructure of two Syrian companies, Afrada and Katerji Group.
• November 2020: Threat to attack the Syrian Banias Refinery by Indra, though CheckPoint was unclear if it was carried out.

The initial payload of this attack was a VBS script named "resolve.vbs," extracting an archive containing another RAR file and three additional VBS files. The resolve.vbs script sequentially ran the extracted scripts, communicating with the server and tracking activities:

• The first script checked installed programs and attempted to uninstall Kaspersky antivirus using hardcoded domain credentials.
• The second script checked if the Kaspersky avp.exe process was running and attempted to remove the Kaspersky license.
• The final script extracted the second-stage RAR archive and ran the executable file.

Against Iranian Steel Manufacturers

In 2022, CheckPoint researchers discovered related attack activities targeting Iranian steel manufacturers. On June 28th ^[9], files related to the Iranian steel industry were found, and preliminary analysis indicated a connection to last year's attack on the Iranian railways. The attackers announced the attack, displaying the logo of "Predatory Sparrow" victims. The primarily affected companies were Huqyzstan Steel Company (KSC), Iran Marine Oil Company, Ministry of Roads and Urban Development, and the Iranian Railway Company.

Similar to previous attacks by the organization, a previously used joke was employed, guiding victims to call the office of Iran's Supreme Leader at "64411."

Researchers also found an executable file named "Chaplin.exe" used in this attack, which is a variant of last year's "Meteor" associated with attacks on Iran's railways and government. While sharing a codebase, Chaplin differs from Meteor and its previous variants, Stardust and Comet, as it lacks wiping functionality.

On July 11, 2022, BBC reported ^[10] on the incident, emphasizing a severe fire ignited by the attack. The attackers released a video, seemingly CCTV footage, showing factory workers leaving a part of the facility before machines started emitting molten steel and flames. In another video posted online, factory staff can be heard shouting for firefighters and describing equipment damage. The organization claimed this was one of three attacks launched on June 27th against Iranian steel manufacturers in response to unspecified "aggression" by Iran. The organization also began sharing what they claimed to be billions of bytes of data stolen from these companies, including confidential emails.

Reference links

[1].https://www.reuters.com/world/middle-east/software-problem-disrupts-iranian-gas-stations-fars-2023-12-18/

[2]. https://t.me/GonjeshkeDarandeOfficial/3

[3]. https://twitter.com/darandegonjeshk

[4]. https://research.checkpoint.com/2021/indra-hackers-behind-recent-attacks-on-iran/

[5]. https://ir.voanews.com/a/top-stories_azari-jahromi-iran-cyberwarfare/6126599.html

[6]. https://twitter.com/hoseinrazzagh/status/1413815059835392001

[7]. https://threats.amnpardaz.com/malware/trojan-win32-breakwin/

[8].https://www.sentinelone.com/labs/meteorexpress-mysterious-wiper-paralyzes-iranian-trains-with-epic-troll/

[9].https://twitter.com/_cpresearch_/status/1541753913732366338

[10]. https://www.bbc.com/news/technology-62072480