A cyberattack has seriously destabilized fuel distribution at Iranian gas stations, Oil Minister Javad Owji announced on state television on Monday, December 18. This disruption would have affected at least 60% of the country’s stations, while the minister claimed, according to the Reuters news agency, that 1,650 stations – out of the 3,800 supervised by the ministry – were able to operate normally . On Monday in Tehran, the capital, several gas stations were closed, cars were lined up in front of each other and police units were stationed at their entrances, noted a journalist from Agence France-Presse (AFP).
“We had a problem with the card readers,” said Deputy Oil Minister Jalil Salari. In Iran, motorists can obtain a digital card issued by the authorities allowing them to benefit from a subsidized monthly gasoline quota. Gas stations have disconnected the system and fuel “is now supplied offline,” Salari said.
A strange group of “hacktivists”
Although few technical details emerged, the Iranian authorities quickly accused Israel of being behind these events, with the oil minister denouncing a “conspiracy” and accusing “the United States and the Zionist enemy [Israel]”, including the goal would be to “make people suffer.” Iranian President Ebrahim Raïssi called for an investigation and “immediate measures” to resolve the situation.
The attack was claimed by an actor known under the pseudonym Gonjeshke Darande, the Persian name for “Predatory Sparrow”, officially presenting itself as a group of hacktivists – a contraction of the words “hacker” and “activists “. “We carried out a new cyberattack today, knocking out a majority of gas stations in Iran,” the group announced on Telegram messaging, adding that this offensive was “a response to aggression by the Islamic Republic and its proxies In the region “.
Iran and Israel are regularly suspected of attacking each other by disguising their operations behind pseudo-groups of independent and politically motivated pirates. In the case of Gonjeshke Darande, the sophistication of the attacks, the preparation time required, and the targeting of victims suggest that the group may be affiliated or connected to a state actor.
Moreover, this is not his first success. Active since 2021, Gonjeshke Darande still targets Iranian entities, signing its demands in Persian and English. He thus claimed to be behind an attack which targeted, in the summer of 2021, railway infrastructure as well as an Iranian ministry, an operation initially attributed to a group called Indra by the company Checkpoint, which then estimated that the latter was not was probably not linked to a state.
Also in 2021, recalls the BBC, the group claimed responsibility for an attack targeting, again, the payment system of Iranian gas stations. As during the operation carried out on Monday, the group then claimed to have warned the Iranian emergency services in advance to limit the risks to human lives. This attack caused a general outage of gas stations for a week. On an unprecedented scale, it caused the highest Iranian authorities to react and led to traffic jams on the main arteries of Tehran and long lines in front of gas stations. Another high-profile campaign: during the summer of 2022, Gonjeshke Darande claimed to have attacked several factories in the Iranian steel industry, even specifying that he had caused the start of fires.
If the Israeli authorities deny any involvement in these operations, the country’s military intelligence is strongly suspected of being behind Gonjeshke Darande. According to the New York Times, the first attack targeting gas stations, in 2021, was linked to Israel by American authorities.