Analysts say a cyberattack earlier this week that disrupted the sale of subsidized fuel in Iran appears to be the latest in a series of cyberstrikes between Tehran and its rivals.
The incident, which led to chaos and criticisms of Iran's preparedness for cyberthreats, is seen as a warning to the Islamic republic. It came ahead of the second anniversary of deadly protests over a sudden rise in the price of gasoline -- demonstrations that quickly turned into demonstrations against the clerical establishment.
Warning Shot?
"The message here is that we not only have the capabilities to breach your infrastructure system -- a system that will immediately affect Iran from border to border -- but also to cripple [it],” said Tel-Aviv based Cyber security expert Tal Pavel told RFE/RL.
"It’s not by mistake that the entity that did the attack chose gas stations,” said Pavel, the director and founder of the Institute for Cyber Policy Studies in Israel.
The October 26 attack, which targeted the electronic transaction system used to distribute the subsidized fuel, paralyzed more than 4,000 gas stations across the country and resulted in long lines of angry motorists unable to use their government-issued smart cards.
Around the same time, digital billboards on highways in the capital, Tehran, and Isfahan reportedly displayed a message calling out Supreme Leader Ayatollah Ali Khamenei, criticism of whom is a red line to the authorities of the Islamic republic.
"Khamenei, where is our gas?" the messages read.
The semiofficial ISNA news agency reported that those trying to buy fuel with their smart cards received a message saying "cyberattack 64411. " ISNA later removed the story and claimed it had been hacked. The number 64411 is a telephone number listed on the website of Khamenei’s office for women’s religious questions.
Officials later acknowledged that the country had been hit by a cyberattack, saying it was likely carried out by a foreign country, which it did not name. Authorities have in the past commonly accused Israel and the United States of being behind hacking incidents in the country.
While a little-known hacktivist group calling itself Predatory Sparrow took responsibility for the attack, experts said the incident bore the hallmarks of a state-sponsored attack.
"I think the ability to penetrate, to breach critical information, a system, is something that may reflect nation-state capabilities rather than local opposition or hacktivists' capabilities," Pavel said. "We’ve also never seen such a thing in the past by hacktivists."
'Many Weaknesses'
Amir Rashid, the New York-based director of Internet security and digital rights at the Miaan Group told RFE/RL's Radio Farda that it wasn’t clear "if a foreign government conducted the attack or whether it [the foreign government might have] used some groups to perform the attack," adding that the attack exposed what he described as Iran's "many weaknesses" in the cybersecurity sphere.
"Instead of removing these weaknesses, Iranian officials have been concentrating on digital repression, censorship, and Internet shutdowns," he said, adding that the Iranian authorities are also considering a bill that would intensify Internet censorship and further restrict Internet access.
Iranian President Ebrahim Raisi said the attack was designed to make Iranians angry by creating "disorder and disruption," and warned that the attack wasn't "the first or the last."
"There should be serious readiness in the field of cyberwar and related bodies should not allow the enemy to follow their ominous aims to make problems a trend in people’s lives," Raisi was quoted as saying by state media on October 27 in a report in which the president was seen visiting a gas station.
Abolhassan Firouzabadi, the secretary of Iran's Supreme Council of Cyberspace, linked the attack to a July cyberattack on Iran's rail system in which hackers posted fake messages about train delays and cancellations on display boards at stations across the country.
A Telegram post attributed to Predatory Sparrow claiming responsibility for the cyberattacks on gas stations also alluded to the group's involvement in the earlier attack targeting Iran's rail system. The group did not indicate whether it was based inside or outside Iran.
Nevertheless, Firouzabadi said in an interview with state television on October 26 that "this attack was likely conducted by a foreign country." While adding that it was "too early to name the country,” he alleged that the unidentified state's goal was "to disrupt” services to the people.
"Unfortunately, we experienced such a widespread disruption in our train system as well,” he said, referring to the July incident.
The daily Javan affiliated with the Islamic Revolutionary Guards Corps (IRGC) said the timing of the incident -- which coincided with the anniversary of the 2019 November protests and the likely resumptions of nuclear talks in Vienna aimed at reviving the 2015 nuclear deal -- revealed the "West’s need" to see the situation in Iran as tense. The deal, which former U.S. President Donald Trump exited in 2018, significantly limited Iran’s nuclear activities in exchange for sanctions relief.
Previous Attacks
Iran has faced a number of cyberattacks in past months and years while at the same time facing accusations of orchestrating cyberassaults on its rivals, including Israel and Saudi Arabia.
In April, Iran reported a blackout at its underground Natanz nuclear facility, which Israeli media said was caused by a cyberattack. In August, alleged hackers leaked videos of abuses of prisoners at the country’s most notorious prison.
Last year, Iran’s Shahid Rajaee port was targeted in a cyberattack that The Washington Post and The New York Times reported was conducted by Israeli operatives in retaliation for a failed Iranian cyberassault on a water-distribution system in Israel.
Iran was also targeted about a decade ago by the Stuxnet computer worm, which is widely believed to have been engineered by the United States and Israel to sabotage the country’s nuclear program.