Iran’s steel Industry was hit by a hacktivist group calling themselves ”Goneshke Darande” [Predatory Sparrow] on June 27th, 2022. The attack focused specifically on three steel companies that are currently subject to international sanctions, Mobarakeh Steel Company, Hormozgan Steel Company, and Khuzestan Steel Industries. This blog will investigate the Khuzestan attack.
At 3:08:22 pm local time, a compromised internal plant camera at Khuzestan shows the loss of control and within 12 minutes the camera captured catastrophic failure. In the video it appears that there is a disruption in the vacuum degassing stage of the ladle metallurgy process where the molten steel in the ladle is under vacuum to remove dissolved gasses entrained in the steel before it gets poured. This is problematic because remnants of even a few parts per million of hydrogen gas remaining in the pour causes massive defects and drastic loss of structural integrity.
The attackers posted images from the compromised ICS leading up to the event on their twitter account.
From this screenshot we can deduce that the Khuzestan Steel Factory was using a Siemens PCS7 Process Control System and based on the graphics it was most likely S7-400 controllers. Digging a little deeper into the OSINT (Open Source Intel) it appears that see that IRISA International Systems Engineering & Automation Company worked on designing and implementing various portions of the steel factory.
In my book Pentesting Industrial Control Systems under section 2 - Understanding the Cracks Chapter 4 - Open Source Ninja, I elaborate on the fact that gaining insight to openly available data for a client’s industry, process, employees, equipment, and technology is absolutely essential. Throughout the chapter I go on to caution companies and specifically blue teamers that monitor social media posts of employees and 3rd party vendors, as they might innocently and non-maliciously publish critical information related to your company's production environment.
The silver lining of this cyber incident is that no one was hurt and it may open more discussions on industrial cyber security awareness.
To learn more about how the SCADAfence Platform can protect your OT network request a demo today.