Iran Reduces Internet Access After Israeli Airstrikes, Cyberattacks
The government of Iran appears to have severely restricted internet access in the country following Israel’s week-long campaign of military strikes on its nuclear facilities and infrastructure and a series of cyberattacks by a pro-Israeli hacker group known as Predatory Sparrow.
Several companies that track internet access around the world said that connectivity almost disappeared completely Wednesday, with a spokesperson for Iran’s government, Fatemeh Mohajerani, writing in a post on X (formerly Twitter) that the decision was in response to cyberattacks from Israel.
There were also reports that Apple and Google app stores, as well as messaging apps like WhatsApp and Instagram, were blocked in the country.
NetBlocks wrote on X that its data showed that Iran “is now in the midst of a near-total national internet blackout; the incident follows a series of earlier partial disruptions and comes amid escalating military tensions with Israel after days of back-and-forth missile strikes.”
Information from other vendors, including Cloudflare, IOTA, and Kentik, showed the same sharp drop starting early Wednesday morning. Doug Madory, director of internet analysis at Kentik, wrote on X that “numerous Iranian service providers are now offline in the second national internet blackout in as many days.”
Airstrikes and Cyberattacks
The internet shutdown came on the sixth day of Israeli attacks, with Israeli government officials saying that Iran was getting close to being able to build a nuclear weapon. Iran has been launching missile counterattacks at Tel Aviv and other Israeli cities, and comments this week by President Trump suggest that the United States is considering entering the war to aid Israel.
As was seen in the days and weeks in early 2022, the physical war is being augmented by another war in cyberspace. Predatory Sparrow – which goes by its Farsi name, Gonjeshke Darande, and is thought to be linked to Israeli military intelligence – has claimed responsibility for cyberattacks on an Iranian bank and a cryptocurrency exchange in Iran.
Bank Activity Interrupted
Operations at Bank Sepah were disrupted by an attack Tuesday, with reports saying that Iranian citizens were unable to withdraw money from ATMs belonging to the bank and worries that the problems could find their way to gas stations that use the bank to process payments.
Predatory Sparrow hackers claimed responsibility, saying they “destroyed the data” of the bank, which is state-owned and linked to Iran’s Islamic Revolutionary Guard.
“’ Bank Sepah’ was an institution that circumvented international sanctions and used the people of Iran’s money to finance the regime’s terrorist proxies, its ballistic missile program and its military nuclear program,” the hackers wrote on X. “This is what happens to institutions dedicated to maintaining the dictator’s terrorist fantasies.”
Rob Joyce, former cybersecurity director for the U.S. National Security Agency, wrote on X about the hacker group’s previous attacks on steel plants and gas stations in Iran and added that “disrupting the availability of this bank’s funds, or triggering a broader collapse of trust in Iranian banks, could have major impacts there.”
$90 Million in Crypto Disappears
In addition, the group said it was responsible for a hack on the Iranian crypto exchange Nobitex that saw $90 million in crypto syphoned from wallets to hacker addresses, according to blockchain analytics company Elliptic. Nobitex’s website was inaccessible following the attack.
Most of the addresses that the hacked crypto were vanity addresses, an indication that Predatory Sparrow’s intentions apparently were not financially motivated, Elliptic analysts wrote in a blog post.
“The vanity addresses used by the hackers are generated through ‘brute force’ methods – involving the creation of large numbers of cryptographic key pairs until one contains the desired text,” they wrote. “But creating vanity addresses with text strings as long as those used in this hack is computationally infeasible. This means that Predatory Sparrow would not have the private keys for the crypto addresses they sent the Nobitex funds to, and have effectively burned the funds in order to send Nobitex a political message.”
The Elliptic analysts noted that Nobitex, which has been sanctioned by authorities in the United States, Canada, and other countries, has claimed as many as 7 million users and that they have seen it being used by operatives of the Islamic Revolutionary Guard Corps that have been identified as running ransomware operations and targeting critical infrastructure.
Exchange’s Ties to Government
In another X post, Predatory Sparrow wrote that Nobitex “doesn’t even pretend to abide by sanctions. In fact, it publicly instructs users on how to use its infrastructure to bypass sanctions.” They noted that the Iranian regime’s “dependence on Nobitex is evident from the fact that working at Nobitex is considered valid military service, as it is considered vital to the regime’s efforts.”
“These cyberattacks are the result of Nobitex being a key regime tool for financing terrorism and violating sanctions,” the hackers wrote. “Associating with regime terror financing and sanction violation infrastructure puts your assets at risk.”
However, Israeli entities aren’t the only ones fighting this cyberwar. The Jerusalem Post reported this week that cybersecurity firm Radware said there had been a 700% increase in cyberattacks targeting Israeli infrastructure when compared with the day before Israel began its airstrikes on June 13.
The news operation quoted Ron Meyran, vice president of cyber threat intelligence at Tel Aviv-based Radware, as saying that the “700% surge in malicious activity within just two days stems from cyber retaliation operations by Iranian state actors and pro-Iranian hacker groups, including DDoS [distributed denial-of-service] attacks, infiltration attempts targeting critical infrastructure, data theft, and malware distribution campaigns.”
