For all the disappointment over the lack of spectacular cyber warfare in Ukraine, there’s very little interest in the “textbook cyberwar” scenarios unfolding around Iran. Albania has just severed diplomatic ties with Iran over the cyber attacks of July 15th. The Prime Minister announced this in a dramatic fashion with strong language. Iran is embroiled in a cyber war, very much like the pundits envisioned.
How did we get here?
For years, groups have been engaged in leak operations targeting Iranian hacking teams. But in late 2021, the cyber warfare escalated dramatically when the Predatory Sparrows degraded critical national infrastructure via cyber. They disrupted the rail system and displayed politically charged messages to passengers. The Predatory Sparrows changed the parameters of the conflict.
Since that initial attack against the rail network, the Predatory Sparrows have conducted multiple cyber-spectaculars against Iran.
- Fuel riot remembrance: They cut off petrol distribution in a major city, timed to coincide with the anniversary of significant fuel riots just two years prior
- Prison exposure?: CCTV footage of the inside of a notorious Iranian prison leaked. (This has not been definitively linked to the Sparrows.)
- Molten steel beams: they destroyed steel plants that the US had sanctioned for …something related to the Iran regime (they don’t explain why they sanction specific entities)
- Released vast amounts of data from the plants, including at least 78 gigs of emails.
The Predatory Sparrows have done the sorts of attacks which are supposed to be the hallmarks of CyberWar™:
- Physical damage
- Critical national infrastructure
- Complex international messaging
- Cool videos
The Predatory Sparrows attacks are lifted straight from the pages of cyber Pearl Harbor fanfic. Yet, given how little attention they have garnered, it seems like the cyber pundits believe “cyber war” is shorthand for “what Russia does.”
Iran attacks NATO over zombie party
In mid-July, Albania was targeted by massive cyberattacks that caused significant damage to government systems. The attackers used wipers and malware based on known Iranian tooling.
Albania appears to have been chosen because the Iranian opposition group MEK was sponsoring a conference scheduled for July 23rd. MEK is not a real threat to the Iranian regime.
The malware used in the attack contained the notional hacker group’s name and contact details, including their website. On the website was a logo referencing the Predatory Sparrows.
On the left is the Predatory Sparrows logo, and on the right is the logo of the group that attacked Albania. The keen-eyed observer will notice that both have lines resembling the traces and pads of a PCB. And also an Angry Birds character.
In-depth research by Mandiant positively linked the group to Iran. Albania, and the US National Security Council, have confirmed the attribution. Albania has already severed diplomatic ties, and the US is promising to hold Iran accountable.
Over the line!
For the first time in history, a cyber warfare event has “crossed the line.” Albania has established a baseline for cyber warfare that is significant enough to warrant a state response.
For all the talk about strategic ambiguity, and “reserving the right to retaliate” for “cyber attacks that cross the line” there has never actually been an attack that crossed the line. Until now.
WTF is going on?
This is what a real actual genuine full-blown cyber conflict involving multiple states looks like.
The long-running war between Iran and Israel has been playing out in cyber for years now. The Iranians unsuccessfully attacked an Israeli water treatment plant (gets a lot of press) and have recently been conducting large-scale hack and leak attacks against Israeli organisations (doesn’t get any press.) The Israelis have, almost certainly, conducted impressive complex symbolic cyberattacks under the cover of the Predatory Sparrows.
One hypothesis is that the Iranians felt the need to respond to the Predatory Sparrows and chose the MEK conference as the focal point. They attacked the Albanian government in a show of force cyber campaign, ransomwaring and wiping critical government systems. The disruption was significant enough to impact the government’s ability to run the country.
Where are we going?
The attack was not the work of a bunch of criminals operating independently. It was the deliberate offensive action of a state, using state agencies to enact the will of the government.
Iran appears to have overstepped in their calculations, and Albania is treating the attack as a serious international incident.
Leave a Reply