{ "id": "8a36c906-05ac-4630-9ee5-a5dc5ced9a09", "created_at": "2026-04-06T00:06:33.247229Z", "updated_at": "2026-04-10T13:12:23.93325Z", "deleted_at": null, "sha1_hash": "eca206a64bc3f75ba40711c164dc88347c1e4fd0", "title": "Predatory Sparrow: Who are the hackers who say they started a fire in Iran?", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1722294, "plain_text": "Predatory Sparrow: Who are the hackers who say they started a\r\nfire in Iran?\r\nBy By Joe Tidy\r\nPublished: 2022-07-10 ยท Archived: 2026-04-05 14:24:09 UTC\r\nPredatory Sparrow\r\nThe steel factory shortly before the fire\r\nIt's extremely rare for hackers, who operate in the digital world, to cause damage in the physical world.\r\nBut a cyber-attack on a steel maker in Iran two weeks ago is being seen as one of those significant and troubling\r\nmoments.\r\nA hacking group called Predatory Sparrow said it was behind the attack, which it said caused a serious fire, and\r\nreleased a video to back up its story.\r\nThe video appears to be CCTV footage of the incident, showing factory workers leaving part of the plant before a\r\nmachine starts spewing molten steel and fire. The video ends with people pouring water on the fire with hoses.\r\nIn another video that surfaced online, factory staff can be heard shouting for firefighters to be called and\r\ndescribing damage to equipment.\r\nPredatory Sparrow, also known by its Persian name, Gonjeshke Darande, says this was one of three attacks it\r\ncarried out against Iranian steel makers on 27 June, in response to unspecified acts of \"aggression\" carried out by\r\nthe Islamic Republic.\r\nhttps://www.bbc.com/news/technology-62072480\r\nPage 1 of 5\n\nThe moment when Predatory Sparrow says it caused the fire\r\nThe group has also started sharing gigabytes of data it claims to have stolen from the companies, including\r\nconfidential emails.\r\nOn its Telegram page Predatory Sparrow posted: \"These companies are subject to international sanctions and\r\ncontinue their operations despite the restrictions. These cyber-attacks, being carried out carefully to protect\r\ninnocent individuals.\"\r\nThat last sentence has pricked the ears of the cyber-security world.\r\nClearly the hackers knew that they were potentially putting lives in danger, but it seems they were at pains to\r\nensure the factory floor was empty before they launched their attack - and they were equally eager to make sure\r\neveryone knew how careful they had been.\r\nThis has led many to wonder whether Predatory Sparrow is a professional and tightly regulated team of state-sponsored military hackers, who may even be obliged to carry out risk assessments before they launch an\r\noperation.\r\nIran says foreign country hacked petrol stations\r\nIranian hackers posed as British-based academic\r\n\"They claim themselves to be a group of hacktivists, but given their sophistication, and their high impact, we\r\nbelieve that the group is either operated, or sponsored by, a nation state,\" says Itay Cohen, head of cyber research\r\nat Check Point Software.\r\nPredatory Sparrow\r\nPredatory Sparrow has a Telegram channel, Twitter account and even a logo\r\nIran has been the victim of a spate of recent cyber-attacks that have had an impact in the real world but nothing as\r\nserious as this.\r\nhttps://www.bbc.com/news/technology-62072480\r\nPage 2 of 5\n\n\"If this does turn out to be a state sponsored cyber-attack causing physical - or in the war studies jargon 'kinetic'\r\ndamage - this could be hugely significant,\" says Emily Taylor, Editor of the Cyber Policy Journal.\r\n\"Historically the Stuxnet attack on Iran's uranium enrichment facilities in 2010, has been highlighted as one of the\r\nfew - if not the only known - example of a cyber-attack causing physical damage.\"\r\nStuxnet was a computer virus first discovered in 2010 that damaged or destroyed centrifuges at Iran's uranium\r\nenrichment facility in Natanz, hampering its nuclear programme.\r\nSince then there have been very few confirmed cases of physical damage.\r\nEPA\r\nNatanz is heavily protected, with its most sensitive machinery housed deep underground\r\nPossibly the only one came in 2014 in Germany. In the annual report of the German cyber authority it was stated\r\nthat a cyber-attack caused \"massive damage\" to a steel factory, causing an emergency shutdown, but no further\r\ndetails have ever been given.\r\nThere have been other cyber-attacks that could have caused serious damage but didn't succeed. For example,\r\nhackers have tried but failed to add chemicals to the water supply by taking control of water treatment facilities.\r\nIt's more common for cyber-attacks to cause disruption - to transport networks for example - without causing real\r\nphysical damage.\r\nEmily Taylor says it's a significant distinction because if a state is proven to have caused physical damage to the\r\nIranian steel factory it may have violated international laws prohibiting the use of force, and provided Iran with\r\nlegal grounds to hit back.\r\nSo if Predatory Sparrow is a state-sponsored military hacking group, which country does it represent? Its name, a\r\nplay on the name of the Iranian cyber-warfare group, Charming Kitten, could be a clue, suggesting that it's a\r\ncountry with a strong interest in Iran.\r\nhttps://www.bbc.com/news/technology-62072480\r\nPage 3 of 5\n\nThe Stuxnet attack is widely thought to have been carried out by Israel, with support from the US. And this time\r\nthe murmurings linking the Predatory Sparrow attack with Israel have been loud enough to prompt a response\r\nfrom the Israeli government.\r\nAccording to Israeli media reports, Defence Minister Benny Gantz has ordered an investigation into leaks that led\r\nto Israeli journalists heavily hinting that Israel is behind the hack.\r\nThe minister is reportedly concerned that Israel's \"ambiguity policy\" on its operations against Iran might have\r\nbeen broken.\r\n\"If this cyber-attack is state-sponsored then of course Israel is the prime suspect. Iran and Israel are in a cyber-war,\r\nand officially both states acknowledge this,\" says Ersin Cahmutoglu from ADEO Cyber Security Services in\r\nAnkara.\r\n\"Both states mutually organise cyber-attacks through their intelligence services and everything has escalated since\r\n2020 when retaliation came from Israel after Iran launched a failed cyber-attack on Israeli water infrastructure\r\nsystems and attempted to interfere with the chlorine level.\"\r\nPredatory Sparrow hijacked road signs to spread chaos in Iran\r\nIn October last year Predatory Sparrow claimed responsibility for taking Iran's national fuel station payment\r\nsystem offline. The group also said it had been behind a hack that hijacked digital billboards on roads, making\r\nthem display a message saying, \"Khamenei, where is our fuel?\" - a reference to the country's supreme leader,\r\nAyatollah Ali Khamenei.\r\nAgain, the hackers showed a degree of responsibility by warning Iran's emergency services in advance about the\r\npotential chaos that could result.\r\nCheck Point researchers say they have also found code in the malicious software used by Predatory Sparrow that\r\nmatches code used by another group, called Indra, that hacked Iranian train station displays in July last year.\r\nhttps://www.bbc.com/news/technology-62072480\r\nPage 4 of 5\n\nAccording to Iranian news reports, hackers indicated on information boards at stations across the country that\r\ntrains were cancelled or delayed, and urged passengers to call the supreme leader.\r\nBut experts say the steel factory attack is a sign that the stakes are getting higher.\r\nFARS\r\nIn August 2021 train station displays were hacked causing confusion to rail users\r\nAccording to the CEO of Mobarakeh Steel Company, where the fire apparently took place, the plant's operations\r\nwere not affected by the attack and no-one was hurt. The two other companies targeted also said they experienced\r\nno problems.\r\nNariman Gharib, a UK-based opposition Iranian activist and independent cyber-espionage investigator, is\r\nconvinced the video is genuine. He notes that two other videos of the fire were also posted on Twitter.\r\n\"The attack was real, as workers recorded video from another angle and we saw a statement posted on one\r\ncompany's Telegram channel regarding the suspension of the production line, which was later denied.\"\r\nHe fears a threshold has now been crossed.\r\n\"If Israel is behind these attacks, I think they are showing that they can do real damage rather than just disrupting\r\na service. It shows how things can quickly escalate.\"\r\nSource: https://www.bbc.com/news/technology-62072480\r\nhttps://www.bbc.com/news/technology-62072480\r\nPage 5 of 5", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia" ], "origins": [ "web" ], "references": [ "https://www.bbc.com/news/technology-62072480" ], "report_names": [ "technology-62072480" ], "threat_actors": [ { "id": "82b92285-4588-48c9-8578-bb39f903cf62", "created_at": "2022-10-25T15:50:23.850506Z", "updated_at": "2026-04-10T02:00:05.418577Z", "deleted_at": null, "main_name": "Charming Kitten", "aliases": [ "Charming Kitten" ], "source_name": "MITRE:Charming Kitten", "tools": [ "DownPaper" ], "source_id": "MITRE", "reports": null }, { "id": "029625d2-9734-44f9-9e10-b894b4f57f08", "created_at": "2023-01-06T13:46:38.364105Z", "updated_at": "2026-04-10T02:00:02.944092Z", "deleted_at": null, "main_name": "Charming Kitten", "aliases": [ "iKittens", "Group 83", "NewsBeef", "G0058", "CharmingCypress", "Mint Sandstorm", "Parastoo" ], "source_name": "MISPGALAXY:Charming Kitten", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "8309f9cf-9abb-4ce3-aa1e-cda7d7f5c1b3", "created_at": "2022-10-25T16:07:23.729215Z", "updated_at": "2026-04-10T02:00:04.729076Z", "deleted_at": null, "main_name": "Indra", "aliases": [], "source_name": "ETDA:Indra", "tools": [ "Stardust" ], "source_id": "ETDA", "reports": null }, { "id": "e3676dfe-3d40-4b3a-bfbd-4fc1f8c896f4", "created_at": "2022-10-25T15:50:23.808974Z", "updated_at": "2026-04-10T02:00:05.291959Z", "deleted_at": null, "main_name": "Magic Hound", "aliases": [ "Magic Hound", "TA453", "COBALT ILLUSION", "Charming Kitten", "ITG18", "Phosphorus", "APT35", "Mint Sandstorm" ], "source_name": "MITRE:Magic Hound", "tools": [ "Impacket", "CharmPower", "FRP", "Mimikatz", "Systeminfo", "ipconfig", "netsh", "PowerLess", "Pupy", "DownPaper", "PsExec" ], "source_id": "MITRE", "reports": null }, { "id": "8d28f58b-5ea2-4450-a74a-4a1e39caba6e", "created_at": "2026-03-16T02:02:50.582318Z", "updated_at": "2026-04-10T02:00:03.777263Z", "deleted_at": null, "main_name": "COASTLIGHT", "aliases": [ "Gonjeshke Darande", "Indra", "Predatory Sparrow" ], "source_name": "Secureworks:COASTLIGHT", "tools": [], "source_id": "Secureworks", "reports": null }, { "id": "99c7aace-96b1-445b-87e7-d8bdd01d5e03", "created_at": "2025-08-07T02:03:24.746965Z", "updated_at": "2026-04-10T02:00:03.640335Z", "deleted_at": null, "main_name": "COBALT ILLUSION", "aliases": [ "APT35 ", "APT42 ", "Agent Serpens Palo Alto", "Charming Kitten ", "CharmingCypress ", "Educated Manticore Checkpoint", "ITG18 ", "Magic Hound ", "Mint Sandstorm sub-group ", "NewsBeef ", "Newscaster ", "PHOSPHORUS sub-group ", "TA453 ", "UNC788 ", "Yellow Garuda " ], "source_name": "Secureworks:COBALT ILLUSION", "tools": [ "Browser Exploitation Framework (BeEF)", "MagicHound Toolset", "PupyRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "75108fc1-7f6a-450e-b024-10284f3f62bb", "created_at": "2024-11-01T02:00:52.756877Z", "updated_at": "2026-04-10T02:00:05.273746Z", "deleted_at": null, "main_name": "Play", "aliases": null, "source_name": "MITRE:Play", "tools": [ "Nltest", "AdFind", "PsExec", "Wevtutil", "Cobalt Strike", "Playcrypt", "Mimikatz" ], "source_id": "MITRE", "reports": null }, { "id": "f2ce5b52-a220-4b94-ab66-4b81f3fed05d", "created_at": "2025-08-07T02:03:24.595597Z", "updated_at": "2026-04-10T02:00:03.740023Z", "deleted_at": null, "main_name": "BRONZE FIRESTONE", "aliases": [ "APT19 ", "C0d0s0", "Checkered Typhoon ", "Chlorine ", "Deep Panda ", "Pupa ", "TG-3551 " ], "source_name": "Secureworks:BRONZE FIRESTONE", "tools": [ "9002", "Alice's Rabbit Hole", "Cobalt Strike", "Derusbi", "PlugX", "PoisonIvy", "PowerShell Empire", "Trojan Briba", "Zuguo" ], "source_id": "Secureworks", "reports": null }, { "id": "1699fb41-b83f-42ff-a6ec-984ae4a1031f", "created_at": "2022-10-25T16:07:23.83826Z", "updated_at": "2026-04-10T02:00:04.761303Z", "deleted_at": null, "main_name": "Magic Hound", "aliases": [ "APT 35", "Agent Serpens", "Ballistic Bobcat", "Charming Kitten", "CharmingCypress", "Cobalt Illusion", "Cobalt Mirage", "Educated Manticore", "G0058", "G0059", "Magic Hound", "Mint Sandstorm", "Operation BadBlood", "Operation Sponsoring Access", "Operation SpoofedScholars", "Operation Thamar Reservoir", "Phosphorus", "TA453", "TEMP.Beanie", "Tarh Andishan", "Timberworm", "TunnelVision", "UNC788", "Yellow Garuda" ], "source_name": "ETDA:Magic Hound", "tools": [ "7-Zip", "AnvilEcho", "BASICSTAR", "CORRUPT KITTEN", "CWoolger", "CharmPower", "ChromeHistoryView", "CommandCam", "DistTrack", "DownPaper", "FRP", "Fast Reverse Proxy", "FireMalv", "Ghambar", "GoProxy", "GorjolEcho", "HYPERSCRAPE", "Havij", "MPK", "MPKBot", "Matryoshka", "Matryoshka RAT", "MediaPl", "Mimikatz", "MischiefTut", "NETWoolger", "NOKNOK", "PINEFLOWER", "POWERSTAR", "PowerLess Backdoor", "PsList", "Pupy", "PupyRAT", "SNAILPROXY", "Shamoon", "TDTESS", "WinRAR", "WoolenLogger", "Woolger", "pupy", "sqlmap" ], "source_id": "ETDA", "reports": null }, { "id": "219ddb41-2ea8-4121-8b63-8c762f7e15df", "created_at": "2023-01-06T13:46:39.384442Z", "updated_at": "2026-04-10T02:00:03.309654Z", "deleted_at": null, "main_name": "Predatory Sparrow", "aliases": [ "Indra", "Gonjeshke Darande" ], "source_name": "MISPGALAXY:Predatory Sparrow", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775433993, "ts_updated_at": 1775826743, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/eca206a64bc3f75ba40711c164dc88347c1e4fd0.pdf", "text": "https://archive.orkl.eu/eca206a64bc3f75ba40711c164dc88347c1e4fd0.txt", "img": "https://archive.orkl.eu/eca206a64bc3f75ba40711c164dc88347c1e4fd0.jpg" } }