A recent cyberattack in Iran has severely disrupted operations at petrol stations nationwide, leading to significant fuel supply issues and causing electronic billboards to broadcast messages that criticize the government’s management of gasoline distribution.
Social media platforms have seen a surge of posts and videos depicting messages such as “Khamenei! Where is our gas?”—a direct challenge to Ayatollah Ali Khamenei, Iran’s supreme leader. Additionally, some screens allegedly declared “Free gas at Jamaran gas station,” with gas pumps displaying the phrase “cyberattack 64411” when users attempted to fuel their vehicles, as reported by the semi-official Iranian Students’ News Agency (ISNA) reported.
Abolhassan Firouzabadi, the head of Iran’s Supreme Cyberspace Council, indicated that it is likely state-sponsored but acknowledged that confirming the perpetrator’s identity requires further investigation. As of now, no country or group has publicly accepted responsibility for the attacks.
This incident is notably the second case in which digital billboards in Iran were manipulated to convey similar messages. Previous attacks in July 2021 targeted systems affiliated with Iranian Railways and the Ministry of Roads and Urban Development, which displayed notifications regarding train delays and cancellations while urging travelers to call 64411 for more information—a number associated with Khamenei’s office that addresses inquiries about Islamic law.
The challenges posed by these cyber incidents appear to be linked to sophisticated use of malware, specifically a data-wiping variant known as “Meteor,” which has not been seen before in such attacks. Cybersecurity initiatives like those from Check Point later attributed the rail system disruption to a group of threat actors identified as “Indra,” suggesting affiliations with hacktivist and cybercriminal sectors.
The group’s activity aims to counter the operations of the Quds Force, alongside its regional proxies. While many attacks of this nature typically involve state-sponsored hacks, Check Point emphasizes that non-state actors can also generate significant disruptions to critical infrastructure.
In terms of tactics potentially employed during the attack, referring to the MITRE ATT&CK framework enables a clearer understanding. Initial access methods may have been leveraged, followed by privilege escalation techniques, and possibly lateral movement within affected networks to achieve the objective of disrupting fuel distribution and public sentiment.
The ongoing scrutiny of cybersecurity threats is pivotal for business owners, particularly as incidents such as this serve as sobering reminders of the vulnerabilities in critical infrastructure. As digital threats continue to evolve, staying informed about the tactics used by adversaries will be essential in formulating robust defenses.
