Disruption of Country’s Biggest Bank Comes as Israel-Iran War Intensifies
A pro-Israel hacking group claims to have disrupted a major Iranian bank as hostilities between the two countries raged into their fifth day.
See Also: SASE and Zero Trust: The Backbone of Integrated Security (eBook)
The hacking group Gonjeshke Darande – Persian for Predatory Sparrow – said in a Tuesday morning post to social network X that it “conducted cyberattacks which destroyed the data of the Islamic Revolutionary Guard Corps’ Bank Sepah,” working in tandem with Iranian nationals.
The claim couldn’t be verified – but the website for government-owned Bank Sepah, based in Tehran, remained inaccessible Tuesday afternoon. Private Iranian news agency Fararu reported the bank confirmed that its infrastructure was disrupted Tuesday by a cyberattack, leading to bank services being offline, and some gas stations that rely on the bank’s infrastructure being unable to accept payments.
The bank, Iran’s largest, runs 1,800 domestic branches, and also has branches in Frankfurt, Paris and Rome, as well as a London-based subsidiary, Bank Sepah International.
Multiple residents of Iran reported being unable to withdraw money from the bank’s ATMs, Israeli media reported.
News of the disruption comes as the days-long conflict between Jerusalem and Tehran escalates, with both countries targeting the other with missiles and drones, leading to hundreds of people being killed and thousands injured (see: Israeli Strikes Raise Fears of Cyberattacks and Retaliation).
Predatory Sparrow in its post said “Bank Sepah was an institution that circumvented international sanctions and used the people of Iran’s money to finance the regime’s terrorist proxies, its ballistic missile program and its military nuclear program.” The group also thanked “the brave Iranians whose help made this operation.”
Unsubstantiated claims by hacktivist groups are common during regional conflicts, including in the Middle East. But the bank disruption – and Predatory Sparrow quickly taking credit for the outage – shows that “despite appearances, this actor is not all bluster,” said John Hultquist, chief analyst at Google Threat Intelligence Group, in a post to social network Bluesky.
Predatory Sparrow is tied to a number of previous disruptions in Iran, including a June 2022 attack on three state-owned foundries, which appears to have started a fire in at least one of them. The group also claimed credit for various attacks that disrupted Iran’s fuel supply and rail system.
Security experts not attributed the group’s activities to any given country. The group’s name may be a tongue-in-cheek riff on Charming Kitten, which is one of the codenames – others include APT35, Phosphorus and Mint Sandstorm – used to track a specific Iranian military nation-state hacking group (see: Predatory Sparrow’s Hacks: There’s Smoke, There’s Fire).
“We don’t have the definitive evidence of who’s sponsoring their activity and interestingly, Iran has made multiple different sorts of accusations about attribution,” Hultquist told reporters last year. The group is clearly antagonistic against Tehran, appears to be well-funded and appears to limit the impact of its few attacks to date, which suggest that “legal constraints” might govern its operations.
OFAC Sanctions
Accusations voiced by Predatory Sparrow against Bank Sepah are already well-documented. The United States imposed sanctions on the bank in 2007. At the time, the Department of the Treasury’s Office of Foreign Assets Control described Bank Sepah as being the “bank of choice” for the Aerospace Industries Organization, a subsidiary of Iran’s Ministry of Defense.
The bank “provided a variety of critical financial services to Iran’s missile industry,” including serving as a “financial conduit” to facilitate “Iran’s international purchases of sensitive material for its missile program,” OFAC said.
The U.S. lifted the sanctions in January 2016 as part of a multinational deal to limit Iran’s development of nuclear weapons signed by President Barack Obama the year before. President Donald Trump in 2018 announced U.S. withdrawl from the plan, and OFAC reimposed sanctions, which came in full effect in November 2018.
At the time, OFAC accused the Iranian regime of using the bank as part of its effort “to fund its destabilizing activities,” including “the Iranian regime’s support to international terrorism, proliferation of weapons of mass destruction or their means of delivery, and human rights abuses.” In addition, it said that Iran’s Ministry of Defense and Armed Forces Logistics used the bank to pay its agents abroad, in support of the country’s effort to acquire WMD technology as well as “destabilizing numbers and types of conventional weapons.”
Codebreakers’ Claimed Hack and Leak
This isn’t Bank Sepah’s first brush with hackers. In March, a hacking group calling itself “Codebreakers” threatened to release 12 terabytes of data, including 42 million bank records, unless the bank paid a ransom worth $42 million in Bitcoin, reported media outlet Independent Persian. The stolen data allegedly included customers’ names, account numbers, passwords, home addresses, mobile phone numbers and more, and also included details tied to military personnel.
The bank’s head of public relations, Reza Hamedanchi, rejected the hacking group’s claim, saying it was “fundamentally false and no hacking or infiltration has taken place in the bank,” reported Iranian news agency Tabnak.
In response, the Codebreakers group on its Telegram channel leaked Hamedanchi’s personal details, including bank account balance, alongside details pertaining to 20,000 individuals, including high-profile – and wealthy – civilian and military customers.
The group said the bank refused to meet its ransom demand.
The hacking group’s decision to trumpet the data leak in Persian and then English-language posts to Instagram and WhatsApp suggested the operation was designed “to generate public attention primarily within Iran,” as part of what appeared to be more of a psychological operation than a financially driven attack, reported the Cyfluence Research Center.
