Full Report
A pro-Iran hacking group detailed an attack manipulating agricultural sector control systems in an incident the Jordanian government said was aimed at destroying a strategic wheat stockpile. A Sunday post on a newly created Telegram channel attributed to APT IRAN, which was promoted by the Cyber Islamic Resistance Telegram channel, said that “we infiltrated Jordan’s…
Analysis Summary
# Incident Report: Attempted Manipulation of Jordanian Strategic Wheat Silos
## Executive Summary
A pro-Iran threat actor identified as APT IRAN (linked to CyberAv3ngers) targeted the Jordan Silos and Supply General Company in an attempt to destroy the nation's strategic wheat reserve. The attackers manipulated Industrial Control Systems (ICS) to alter storage temperatures and disable cooling power, while also tampering with weighing software to cause financial disruption. Despite claims by the threat actor that the mission was successful, the Jordanian National Cybersecurity Center (NCSC) asserts the attack was thwarted immediately with no impact on the stockpile.
## Incident Details
- **Discovery Date:** Approximately March 2, 2026 (Public announcement following Telegram posts)
- **Incident Date:** Infiltration reportedly began early February 2026; disruptive actions claimed on March 1, 2026.
- **Affected Organization:** Jordan Silos and Supply General Company
- **Sector:** Agricultural / Critical Infrastructure
- **Geography:** Jordan (specifically Irbid silos)
## Timeline of Events
### Initial Access
- **Date/Time:** Approximately early February 2026 (one month prior to the public claim).
- **Vector:** Targeted Spear-Phishing.
- **Details:** A phishing email was sent to an employee in the administrative department, allowing the attackers to establish a foothold in the corporate network.
### Lateral Movement
- **Techniques:** Following the initial breach, the threat actor performed internal network scanning to bridge the gap between administrative systems and Operational Technology (OT).
- **Targets:** Access was gained to the Silo Control System (SCADA), the weighing and scales software, and the solar power plant management systems.
### Data Exfiltration/Impact
- **Operational Impact:** Attackers claimed to have increased silo temperatures to "rot" 750,000 tons of wheat and disabled solar plant inverters to kill emergency power for cooling systems.
- **Integrity Impact:** Tampered with weighing software to record 10% less weight, intending to cause farmer protests and financial loss.
- **Information Disclosure:** Screenshots of industrial gauges and internal system readings were posted to Telegram as "proof" of the breach.
### Detection & Response
- **Discovery:** Detected via "round-the-clock monitoring" by the Jordanian National Cybersecurity Center (NCSC).
- **Response Actions:** The NCSC claims the attack was "countered immediately," preventing the intended environmental changes from taking effect.
## Attack Methodology
- **Initial Access:** Targeted Spear-Phishing.
- **Persistence:** Infiltration maintained for approximately one month prior to the "noise" phase of the attack.
- **Discovery:** Internal network scanning to identify ICS/SCADA assets and auxiliary systems (Solar power).
- **Lateral Movement:** Pivot from administrative (IT) network to the industrial control (OT) network.
- **Impact:**
- **T1496 (Resource Hijacking):** Disabling solar inverters.
- **T0855 (Loss of Control):** Manipulation of temperature/humidity setpoints.
- **T0821 (Modify Parameter):** Intentional falsification of weighing scale data.
## Impact Assessment
- **Financial:** Potential major loss for the company and farmers due to weight manipulation; potential loss of a strategic reserve valued at months of national consumption.
- **Data Breach:** Exposure of industrial configuration data and internal gauge readings.
- **Operational:** Threat actors intended to force a transition to limited diesel generator power; Jordanian officials claim zero operational impact due to successful defense.
- **Reputational:** High-profile attempt to demonstrate that Jordan's critical infrastructure could be "brought to its knees."
## Indicators of Compromise
- **Network:** Communication with Telegram channels attributed to "APT IRAN" and "Cyber Islamic Resistance."
- **Behavioral:**
- Unusual administrative workstation traffic to ICS/SCADA networks.
- Unauthorized setpoint changes in silo environmental controls.
- Remote disabling of solar plant inverters during peak or standard hours.
- Discrepancies between physical wheat weights and weighing software logs.
## Response Actions
- **Containment:** NCSC alerted national institutions to elevate readiness levels.
- **Eradication:** Counter-measures deployed to block Iranian-attributed IPs and secure silo management interfaces.
- **Recovery:** Restoration of weighing software integrity and silo temperature stabilization.
## Lessons Learned
- **IT/OT Convergence Risks:** A breach in an administrative department (IT) allowed for a pivot into critical silo controls (OT).
- **Early Warning Benefits:** The NCSC had previously issued warnings to elevate readiness, which likely contributed to the "immediate" thwarting of the attack.
- **Propaganda vs. Reality:** Threat actors used Telegram to exaggerate the success of the mission (claiming wheat would rot in 45 days) to cause public panic, despite government reports of successful containment.
## Recommendations
- **Network Segmentation:** Implement strict "Air Gap" or unidirectional gateways between administrative networks and industrial control systems.
- **Phishing Defense:** Enhanced email security filtering and periodic SAT (Security Awareness Training) for administrative staff.
- **Multi-Factor Authentication (MFA):** Enforce MFA for all access points, especially those bridging IT and OT environments.
- **Integrity Monitoring:** Implement automated alerts for any modification to SCADA setpoints or weighing software logic.