The group claiming responsibility for cyberattacks on multiple Iranian steel facilities last month posted on Thursday what it called a cache of nearly 20 gigabytes of data containing corporate documents that reveal the facilities’ affiliation with Iran’s powerful Islamic Revolutionary Guard Corps.
In a series of tweets in both English and Persian, the group — which calls itself Gonjeshke Darande or Predatory Sparrow — said the 19.76 gigabyte cache was just the “first part” of what would be released. The group also posted an image of what appears to be the inside of a steel facility.
CyberScoop has not independently verified the contents of the document release.
When the group initially claimed the June 27 attack, it posted a video that appeared to show damage to equipment at the state-owned Khouzestan Steel Company, one of Iran’s primary steel production facilities. Initial reports suggested the attack disrupted operations at the plant, but the company and the Iranian government denied that it had any major effect.
In the video the group included a message that explained that the companies “are subject to international sanctions and continue their operations despite the restrictions.” The attacks, the group added, were “being carried out carefully so to protect innocent individuals” and are “in response to the aggression of the Islamic Republic.”
Gonjeshke Darande is just one of several names, including Indra, the group uses. The shadowy outfit claims to be independent, but some speculation has suggested it could be the work of the Israeli government, given the of access needed to carry out the attacks, the sophisticated nature of the operation and the messaging during and after the apparent hacks.
Israeli Defense Minister Benny Gantz ordered an investigation into recent media leaks that “hinted” that an Israeli military intelligence unit was responsible for the attack on the steel facilities, the Times of Israel reported.
The Israeli Ministry of Defense did not immediately respond to a request for comment.
The group has claimed other digital assaults on key Iranian targets, such as the October 2021 attack that hobbled Iranian state-controlled gasoline distribution and one on August 2021 that hit the Iranian railway system.
In both cases, the group displayed messages — either on the gas pumps or on the displays for train schedules — with the office number of Iran’s supreme leader, Ayatollah Ali Khamenei, which some threat intelligence experts interpreted as trolling.