Full Report
A group tracked as Predatory Sparrow said it was responsible for hacking Bank Sepah as the conflict between Israel and Iran intensified.
Analysis Summary
# Threat Actor: Predatory Sparrow (Gonjeshke Darande)
## Attribution & Identity
* **Identification:** Hacking group widely believed to be linked to Israeli military intelligence.
* **Known Aliases:** Gonjeshke Darande (Persian name).
* **Associated Groups:** Mentioned in the context of heightened cyber activity surrounding the Israel-Iran conflict, often operating concurrently with other state-linked actors.
## Activity Summary
Predatory Sparrow claimed responsibility for a cyberattack targeting **Bank Sepah** in Iran.
* The attack allegedly disrupted customer services, including account access, withdrawals, and card payments, potentially affecting transactions at Iranian gas stations relying on the bank.
* The group stated the action was retaliation for the bank's alleged role in financing Iran's military and nuclear programs.
* The attack followed Israeli airstrikes on Iranian facilities, suggesting reactive, tit-for-tat operations within the escalating conflict.
* Previously claimed responsibility for high-profile cyberattacks targeting Iran’s state-owned steel company, gas stations, and fuel distribution systems.
## Tactics, Techniques & Procedures
* **Core TTP:** Disrupting critical national infrastructure and financial services through cyberattacks.
* The group claimed to have "destroyed the bank’s infrastructure."
* No specific MITRE ATT&CK IDs were mentioned in the provided text.
## Targeting
* **Sectors:** Financial Sector (Banks), Energy/Fuel Distribution, Heavy Industry (Steel).
* **Geography:** Iran.
* **Victims:** Bank Sepah. (Previously targeted Iran’s state-owned steel company and gas stations/fuel distribution systems).
## Tools & Infrastructure
* **Malware families used:** Not specified in the article.
* **Infrastructure (C2, domains, IPs):** The group issued a statement on X (\[x.com/GonjeshkeDarand/status/1934883811327705166]), but no C2 infrastructure was detailed.
## Implications
The conflict between Iran and Israel has demonstrably expanded into the cyber domain, with state-linked groups like Predatory Sparrow executing destructive or disruptive attacks against national infrastructure (financial and energy sectors). The attacks demonstrate a capability and intent to inflict tangible economic and public service disruption as part of geopolitical maneuvering.
## Mitigations
* Implement robust segmentation and resilience measures across critical financial infrastructure, particularly systems used for transaction processing (e.g., gas station linkages).
* Enhance threat monitoring for indicators associated with previous attacks targeting the Iranian energy and industrial sectors, as this group has demonstrated a pattern of attacking infrastructure supporting the state.
* Maintain heightened vigilance during periods of heightened geopolitical tension.