A cyber attack in Iran left petrol stations across the country crippled, disrupting fuel sales and defacing electronic billboards to display messages challenging the regime’s ability to distribute gasoline.
Posts and videos circulated on social media showed messages that said, “Khamenei! Where is our gas?” — a reference to the country’s supreme leader Ayatollah Ali Khamenei. Other signs read, “Free gas in Jamaran gas station,” with gas pumps showing the words “cyberattack 64411” when attempting to purchase fuel, semi-official Iranian Students’ News Agency (ISNA) news agency reported.
Abolhassan Firouzabadi, the head of Iran’s Supreme Cyberspace Council, said the attacks were “probably” state-sponsored but added it was too early to determine which country carried out the intrusions.
Although no country or group has so far claimed responsibility for the incident, the attacks mark the second time digital billboards have been altered to display similar messaging.
In July 2021, Iranian Railways and the Ministry of Roads and Urban Development systems became the subject of targeted cyber attacks, displaying alerts about train delays and cancellations and urging passengers to call the phone number 64411 for further information. It’s worth noting that the phone number belongs to the office of Ali Khamenei that supposedly handles questions about Islamic law.
The attacks involved the use of a never-before-seen reusable data-wiping malware called “Meteor.”
Cybersecurity firm Check Point later attributed the train attack to a “regime opposition” threat actor that self-identifies as “Indra” — referring to the Hindu god of lightning, thunder, and war — and is believed to have ties to hacktivist and other cybercriminal groups, in addition to linking the malware to prior attacks targeting Syrian petroleum companies in early 2020.
“While most attacks against a nation’s sensitive networks are indeed the work of other governments, the truth is that there is no magic shield that prevents a non-state sponsored entity from creating the same kind of havoc, and harming critical infrastructure in order to make a statement,” Check Point noted in July.