Who are the hackers who say they started a fire in Iran?

The steel factory moments before the fire

The steel factory shortly before the fire

It’s extremely rare for hackers, who operate in the digital world, to cause damage in the physical world.

But a cyber-attack on a steel maker in Iran two weeks ago is being seen as one of those significant and troubling moments.

A hacking group called Predatory Sparrow said it was behind the attack, which it said caused a serious fire, and released a video to back up its story.

The video appears to be CCTV footage of the incident, showing factory workers leaving part of the plant before a machine starts spewing molten steel and fire. The video ends with people pouring water on the fire with hoses.

In another video that surfaced online, factory staff can be heard shouting for firefighters to be called and describing damage to equipment.

Predatory Sparrow, also known by its Persian name, Gonjeshke Darande, says this was one of three attacks it carried out against Iranian steel makers on 27 June, in response to unspecified acts of “aggression” carried out by the Islamic Republic.

The group has also started sharing gigabytes of data it claims to have stolen from the companies, including confidential emails.

On its Telegram page Predatory Sparrow posted: “These companies are subject to international sanctions and continue their operations despite the restrictions. These cyber-attacks, being carried out carefully to protect innocent individuals.”

That last sentence has pricked the ears of the cyber-security world.

Clearly the hackers knew that they were potentially putting lives in danger, but it seems they were at pains to ensure the factory floor was empty before they launched their attack – and they were equally eager to make sure everyone knew how careful they had been.

This has led many to wonder whether Predatory Sparrow is a professional and tightly regulated team of state-sponsored military hackers, who may even be obliged to carry out risk assessments before they launch an operation.

“They claim themselves to be a group of hacktivists, but given their sophistication, and their high impact, we believe that the group is either operated, or sponsored by, a nation state,” says Itay Cohen, head of cyber research at Check Point Software.

Predatory Sparrow