Full Report
After an attack on Iran's Sepah bank, the hyper-aggressive Israel-linked hacker group has now destroyed more than $90 million held at Iranian crypto exchange Nobitex.
Analysis Summary
# Threat Actor: Predatory Sparrow
## Attribution & Identity
- **Identification:** Israel-linked hacker group.
- **Aliases:** Gonjeshke Darande (Farsi name, used to appear as a homegrown hacktivist organization).
## Activity Summary
The group is characterized as hyper-aggressive and is reportedly engaged in cyberwarfare specifically targeting Iran's financial system amidst rising tensions. Recent activities include:
1. Targeting the Iranian crypto exchange **Nobitex**, resulting in the destruction of over $90 million in holdings (a destructive action rather than theft).
2. Targeting **Iran's Sepah bank**, claiming to have destroyed "all" the bank's data in retaliation for its associations with the Islamic Revolutionary Guard Corps (IRGC).
## Tactics, Techniques & Procedures
- **Destruction of Data/Assets:** Engaging in the permanent destruction of digital assets and data rather than traditional theft. They destroyed over $90 million at Nobitex and claimed to have destroyed "all" data at Sepah Bank.
- **Information Disclosure:** Posting evidence (e.g., documents showing agreements between Sepah Bank and the Iranian military) to support their narrative and justification.
- **Public Communication:** Claiming responsibility and issuing warnings via their X account.
- **Historical TTPs:** Previously responsible for highly disruptive attacks in Iran, including disabling thousands of gas station payment systems twice and causing a fire at a steel mill.
## Targeting
- **Sectors:** Financial Services (Crypto Exchange, Banking) and critical infrastructure (Gas Stations, Steel Mill - historical).
- **Geography:** Iran.
- **Victims:** Iranian crypto exchange Nobitex; Iran's Sepah bank.
## Tools & Infrastructure
- **Malware Families Used:** Not explicitly detailed in the provided text.
- **Infrastructure (C2, domains, IPs):** Communication via the group's **X account** was noted for making claims and threats. No specific C2 domains or IPs were defanged/listed.
## Implications
Predatory Sparrow demonstrates a capacity and intent for highly destructive, state-aligned cyber operations aimed at severely damaging Iran's economic infrastructure and its ability to circumvent sanctions. Their focus on financial systems signals an escalation in kinetic/cyber conflict dynamics, aiming for economic sabotage over espionage.
## Mitigations
- Harden financial and crypto infrastructure against destructive attacks.
- Review and segment financial data storage, ensuring robust, off-network backups to recover from potential data destruction scenarios.
- Organizations dealing with Iranian entities (like Sepah Bank or Novitex) should anticipate potential exposure or targeting due to perceived ties to sanctions evasion or military financing.