Submit your essay to the AI-Cybersecurity Essay Prize Competition by January 2, 2025.
The AI-Cybersecurity Essay Prize Competition
Read more
Main Logo Expert commentary on tech and security

Predatory Sparrow: cyber sabotage with a conscience?

James Shires / Max Smeets / Hannah-Sophie Weber 9 December 2024
Share On:
An understudied ‘hacktivist’ group conducts cyberattacks against Iran that clearly violate international norms – but claims to demonstrate ethical restraint
Main Top Image
Image created using DALL-E 2 and Chat GPT-4o

Iran’s critical infrastructure has faced devastating cyberattacks in recent years, wreaking havoc on railway timetables and shutting down petrol stations. Behind these high-profile cyberattacks is a group known as Predatory Sparrow.

Predatory Sparrow’s origins and identity are uncertain. The group claims it is a hacktivist force, defending Iran’s citizens against the ‘aggression of the Islamic Republic’ through targeted cyber operations. Yet its tactics are anything but grassroots, suggesting a level of coordination, skill, and resources uncommon among independent activist groups. While some have suggested that the group may be linked to Israel, there is no conclusive evidence in the public domain. 

Predatory Sparrow’s track record

Since mid-2021, Predatory Sparrow has been targeting Iran’s critical infrastructure. Each incident appears to be chosen to maximise visibility and embarrassment for the Iranian regime.

The first major attack, in July 2021, targeted Iran’s Ministry of Roads and Urban Development. Using a customisable wiper malware later dubbed ‘Meteor, Predatory Sparrow disrupted train schedules, resulting in chaos in stations as commuters faced unanticipated delays and cancellations. Digital information boards and affected computers displayed the digits ‘64411’, directing frustrated passengers to call Supreme Leader Ayatollah Ali Khamenei’s office – a symbolic jab at the heart of the regime.

In October 2021, Predatory Sparrow launched another attack, this time against Iran’s network of petrol stations. The operation temporarily disabled state-subsidised fuel smart cards, leaving drivers stranded in long queues, unable to access discounted fuel. This attack also incorporated the ‘64411’ number, underscoring the group’s intent to maximise disruption and aim public dissatisfaction toward Khamenei.

Predatory Sparrow struck again in January 2022, this time with a 10-second interruption to Iran’s state-run television network. An inserted clip called for the death of the Supreme Leader and displayed images of leaders of the Mujahedin E-Khalq (MEK), a longstanding anti-regime group. This bold move showcased the group’s access to state media and gave airtime to one of the regime’s main opponents.

Perhaps their most audacious attack occurred in June 2022, when Predatory Sparrow reportedly caused a failure in a steel plant in the province of Khuzestan, in southwest Iran. This cyber operation is significant for its physical impact: reports suggest that machinery in the facility malfunctioned, endangering workers on site. 

Most recently, in December 2023, Predatory Sparrow again disrupted Iran’s fuel distribution system, reportedly affecting nearly 70% of the country’s petrol stations. This second attack on the fuel network solidified the group’s focus on targeting infrastructure central to the daily lives of Iranians.

Murky origins

Predatory Sparrow presents itself as a retaliatory hacktivist group, striking back against the ‘aggression of the Islamic Republic’. It maintains a strong online presence, with an account on X (formerly Twitter) under its Persian name, Gonjeshke Darande, and a regularly updated Telegram channel. Predatory Sparrow’s actions are frequently picked up by international media, especially Israeli outlets and Iranian opposition channels like Iran International.

Yet the group’s methods and choices of targets paint a more complex picture. Hacktivist groups often engage in online protests or data breaches to further social or political agendas, but Predatory Sparrow uses customised ‘wiper’ malware (which deletes or overwrites data on target devices and networks, rendering them unusable) and targets physical infrastructure in ways more typical of state-sponsored groups. Other prolific hacktivist groups in Iran, such as Edalat-e Ali – so far not linked to Predatory Sparrow – have stayed with more traditional hack-and-leak operations, albeit with high-profile targets ranging from the judiciary to maximum security prisons.

Predatory Sparrow’s operations showcase technical proficiency beyond that of a typical hacktivist group, indicative of advanced training and resources. This assessment has led to suggestions that Predatory Sparrow may only be ‘maintaining the veneer’ of a hacktivist group, acting instead as a proxy for a state. Their strategic target selection and precise internal coordination also suggest a calculated approach akin to government hacking groups, not independent hacktivists. 

Predatory Sparrow’s use of wiper malware mirrors Iran’s own techniques. Iranian wiper attacks have long caused havoc in its neighbouring states – and occasionally the US – and were in turn developed after a US-attributed wiper, linked to the ‘Flame’ worm, affected Iranian oil infrastructure back in 2012.

Finally, there are some indications that Iran views the MEK as connected to Predatory Sparrow. In July 2022, Iran is thought to have launched a wiper attack on the government of Albania, where the MEK is based. The attack was accompanied by a picture of an eagle swooping down on Predatory Sparrow’s distinctive cartoonish logo, set inside a star of David. As this cyberattack was almost certainly directed at the MEK, the image brings Predatory Sparrow – and Israel – into the frame, although we should be careful about inferring too much from such breadcrumbs.

Ethical constraints on cyber operations?

Predatory Sparrow publicly upholds an ethical stance, asserting that its operations are carefully conducted to avoid harm to ‘innocent individuals.’

However, this moral framing clashes with the group’s choice of targets and real-world impact. The steel plant incident in June 2022, for example, pushed the boundaries of hacktivism into the realm of cyber-physical sabotage. Surveillance footage from the attack showed machinery malfunctioning and spewing fire and molten steel, with two workers narrowly escaping harm. 

In justifying its actions, Predatory Sparrow portrayed the attack as a strike against companies that flout international sanctions. The group also explained that the attack was timed for the early morning (5:15 am) to minimize risks. Iran does not have enough energy to keep steel plants running constantly, so they operate at reduced capacity during off-peak hours. Interestingly, Predatory Sparrow said they could have caused more severe damage but chose not to for ethical reasons.

It is useful to briefly contrast Predatory Sparrow’s approach to restraint with that of the most (in)famous cyberattack targeting Iran: Stuxnet. Stuxnet was carefully designed to cause disruption only to specific uranium enrichment facilities, leading some observers to suggest the code had undergone extensive legal review, and therefore exemplified ‘responsible’ cyber operations. Predatory Sparrow’s account of their decision-making points to similar concerns of precision, although the credibility of their self-reported ethics is limited. 

New questions of strategy and ethics

The understudied actions of Predatory Sparrow therefore raise two main questions – and research avenues – for the cybersecurity community. 

First, how much political change can cyber-physical disruption truly generate in authoritarian regimes? Can Predatory Sparrow fulfil its aim of bringing down the government? In more open, democratic states, major incidents generate severe political pressure – think of former US President Barack Obama’s response to the Sony Pictures hack, or the UK’s response to the Wannacry ransomware attack. However, we have little sense of how these pressures translate to authoritarian countries like Iran. Undemocratic states have much greater control over the information environment, an extensive repressive apparatus, and little or no incentive to encourage accurate reporting of the impact of a cyber incident. 

Second, how do concepts or responsibility and ethics apply to offensive cyber operations? Debates about responsible cyber operations typically contrast two stereotypical positions. The first, exemplified by Stuxnet, involves state legal and technical authorities thoroughly reviewing ‘by-the-book’ operations. The second, like the 2017 NotPetya ransomware attack that affected countries around the world, involves state actors or proxies (such as cybercriminal groups and hacktivists) conducting ‘reckless’ operations with little concern for legal niceties. Predatory Sparrow fits into neither mould, blending hacktivist recklessness with measured concern for collateral damage and proportionality. 

Overall, despite its professed ethical restraint, Predatory Sparrow’s operations clearly violate peacetime norms of cyber operations, developed over decades and agreed in various UN forums. Of course, Iran is not in peacetime, and Predatory Sparrow’s operations must be seen in the context of growing regional conflict. They also occurred alongside the 2022 Mahsa Amini protests and subsequent violent repression. Deeper analysis of this group would help us understand the potential for cyber operations to widen existing cracks of frustration and anger in authoritarian regimes, as well as how far such operations are subject to ethical or strategic constraints.

avatar
James Shires
avatar
Max Smeets
avatar
Hannah-Sophie Weber

Related

Featured image
Binding Edge
How to ‘harden’ open-source software
John Speed Meyers / Jacqueline Kazil 7 November 2023
Read more arrow
Featured image
Binding Edge
Cyber threats to European elections: beyond the headlines
Jamie Collier 28 May 2024
Read more arrow
Featured image
Binding Edge
Responsible development can help harness AI advancements
Derek Reveron / John E. Savage 6 December 2023
Read more arrow

Terms and Conditions for the AI-Cybersecurity Essay Prize Competition

Introduction

The AI-Cybersecurity Essay Prize Competition (the “Competition”) is organized by Virtual Routes (“Virtual Routes”) in partnership with the Munich Security Conference (“MSC”). It is sponsored by Google (the “Sponsor”). By entering the Competition, participants agree to these Terms and Conditions (T&Cs).

Eligibility

The Competition is open to individuals worldwide who are experts in the fields of cybersecurity and artificial intelligence (“AI”). Participants must ensure that their participation complies with local laws and regulations.

Submission Guidelines

Essays must address the question: “How will Artificial Intelligence change cybersecurity, and what are the implications for Europe? Discuss potential strategies that policymakers can adopt to navigate these changes.”

Submissions must be original, unpublished works between 800-1200 words, excluding footnotes but including hyperlinks for references.

Essays must be submitted by 2 January 2025, 00:00 am CET., through the official submission portal provided by Virtual Routes.

Only single-authored essays are accepted. Co-authored submissions will not be considered.

Participants are responsible for ensuring their submissions do not infringe upon the intellectual property rights of third parties.

Judging and Awards

Essays will be judged based on insightfulness, relevance, originality, clarity, and evidence by a review board comprising distinguished figures from academia, industry, and government.

The decision of the review board is final and binding in all matters related to the Competition.

Prizes are as follows: 1st Place: €10,000; Runner-Up: €5,000; 3rd Place: €2,500; 4th-5th Places: €1,000 each. The winner will also be invited to attend The Munich Security Conference

Intellectual Property Rights

The author retains ownership of the submitted essay.

By submitting the essay, the author grants Virtual Routes exclusive, royalty-free rights to use, reproduce, publish, distribute, and display the essay for purposes related to the Competition, including but not limited to educational, promotional, and research-related activities.

The author represents, warrants, and agrees that no essay submitted as part of the essay prize competition violates or infringes upon the rights of any third party, including copyright, trademark, privacy, publicity, or other personal or proprietary rights, breaches, or conflicts with any obligation, such as a confidentiality obligation, or contains libellous, defamatory, or otherwise unlawful material.

The author agrees that the organizers can use your name (or your pseudonym) and an image of you in association with your essay for purposes of publicity, promotion and any other activity related to the exercise of its rights under these Terms.

The organizers may remove any essay-related content from its platforms at any time and without explanation.

The organizers may block contributions from particular email or IP addresses without notice or explanation.

The organizers may enable advertising on its platforms and associated social media accounts, including in connection with the display of your essay. The organizers may also use your Material to promote its products and services.

The organizers may, at its sole discretion, categorise Material, whether by means of ranking according to popularity or by any other criteria.

Data Protection

Personal information collected in connection with the Competition will be processed in accordance with Virtual Routes’ Privacy Policy. Participants agree to the collection, processing, and storage of their personal data for the purposes of the Competition.

Liability and Indemnity

Virtual Routes, MSC, and the Sponsor will not be liable for any damages arising from participation in the Competition, except where prohibited by law.

Participants agree to indemnify Virtual Routes, MSC, and the Sponsor against any claims, damages, or losses resulting from a breach of these T&Cs.

General Conditions

Virtual Routes reserves the right to cancel, suspend, or modify the Competition or these T&Cs if fraud, technical failures, or any other factor beyond Virtual Routes’ reasonable control impairs the integrity or proper functioning of the Competition, as determined by Virtual Routes in its sole discretion.

Any attempt by any person to deliberately undermine the legitimate operation of the Competition may be a violation of criminal and civil law, and, should such an attempt be made, Virtual Routes reserves the right to seek damages from any such person to the fullest extent permitted by law.

Governing Law

These Terms and Conditions are governed by the laws of the United Kingdom, without regard to its conflict of law principles. Any dispute arising out of or in connection with these Terms and Conditions, including any question regarding its existence, validity, or termination, shall be referred to and finally resolved by the courts of the United Kingdom. The participants agree to submit to the exclusive jurisdiction of the courts located in the United Kingdom for the resolution of all disputes arising from or related to these Terms and Conditions or the Competition.