Skip to content

The Iran Steel Industry Cyber Attack Explained

A Change In The Air

Iran’s steel Industry was hit by a hacktivist group calling themselves ”Goneshke Darande” [Predatory Sparrow] on June 27th, 2022. The attack focused specifically on three steel companies that are currently subject to international sanctions, Mobarakeh Steel Company, Hormozgan Steel Company, and Khuzestan Steel Industries. This blog will investigate the Khuzestan attack.

At 3:08:22 pm local time, a compromised internal plant camera at Khuzestan shows the loss of control and within 12 minutes the camera captured catastrophic failure. In the video it appears that there is a disruption in the vacuum degassing stage of the ladle metallurgy process where the molten steel in the ladle is under vacuum to remove dissolved gasses entrained in the steel before it gets poured. This is problematic because remnants of even a few parts per million of hydrogen gas remaining in the pour causes massive defects and drastic loss of structural integrity. 

The attackers posted images from the compromised ICS leading up to the event on their twitter account.

Screenshot posted by the threat actors before the attack

From this screenshot we can deduce that the Khuzestan Steel Factory was using a Siemens PCS7 Process Control System and based on the graphics it was most likely S7-400 controllers. Digging a little deeper into the OSINT (Open Source Intel) it appears that see that IRISA International Systems Engineering & Automation Company worked on designing and implementing various portions of the steel factory.

Industrial automation system of ladle furnace

In my book Pentesting Industrial Control Systems under section 2 – Understanding the Cracks Chapter 4 – Open Source Ninja, I elaborate on the fact that gaining insight to openly available data for a client’s industry, process, employees, equipment, and technology is absolutely essential. Throughout the chapter I go on to caution companies and specifically blue teamers that monitor social media posts of employees and 3rd party vendors, as they might innocently and non-maliciously publish critical information related to your company’s production environment. 

The silver lining of this cyber incident is that no one was hurt and it may open more discussions on industrial cyber security awareness.

To learn more about how the SCADAfence Platform can protect your OT network request a demo today.

About Version 2
Version 2 is one of the most dynamic IT companies in Asia. The company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About SCADAfence
SCADAfence helps companies with large-scale operational technology (OT) networks embrace the benefits of industrial IoT by reducing cyber risks and mitigating operational threats. Our non-intrusive platform provides full coverage of large-scale networks, offering best-in-class detection accuracy, asset discovery and user experience. The platform seamlessly integrates OT security within existing security operations, bridging the IT/OT convergence gap. SCADAfence secures OT networks in manufacturing, building management and critical infrastructure industries. We deliver security and visibility for some of world’s most complex OT networks, including Europe’s largest manufacturing facility. With SCADAfence, companies can operate securely, reliably and efficiently as they go through the digital transformation journey.



Click one of our contacts below to chat on WhatsApp