An attack on the fuel distribution chain in Iran reportedly forced the shutdown of a network of filling stations Tuesday, leaving motorists stranded at pumps across the country and unable to fill up their tanks.
The incident disabled government-issued electronic cards providing subsidies that many Iranians use to purchase fuel at discounted prices, according to a report in The Times of Israel, which said that the Iran Supreme National Security Council confirmed the attack.
The filling stations targeted in the attack belong to the National Iranian Oil Products Distribution Company (NIOPDC), which has more than 3,500 stations across Iran and has been supplying oil products for more than 80 years, according to another report in BleepingComputer.
The incident echoed another critical-infrastructure attack that occurred in July against the Iran rail transportation system. Similarly, its attackers reportedly used the number “64411” – the phone number for the office of Supreme Leader Ali Khamenei.
Tuesday’s attack displayed a message reading “cyberattack 64411” on gas pumps when people tried to use their subsidy cards, according to the Times of Israel. In July’s attack, this number was displayed on screens and message boards at rail transportation stations, directing people to call it for more information about the attack.
Screens on the gas pump PoS systems say 'cyberattack, 64411' in Farsi. For avid readers, this should be a throwback to the Iranian railway systems attack in July where the attackers also directed calls to 64411, the Office of Iran's Supreme Leader, Ali Khamenei' #MeteorExpress pic.twitter.com/Ck7WR9yPDZ
— J. A. Guerrero-Saade (@juanandres_gs) October 26, 2021
Authorities aren’t certain yet if this tactic means the same group is behind the attack or if it’s a false lead. Iran is currently investigating the attack and has not publicly identified the culprit, though authorities are reportedly blaming a “hostile country.”
Critical Infrastructure Under Attack
Though little is known about the attack details or its perpetrator, experts said it once again highlights how vulnerable critical infrastructure is to cyber attacks, which can spread ripples that disrupt everyday life.
Steve Daniels, head of vCISO, at cybersecurity firm Cyvatar, said the attack “appears to be politically motivated.”
“For me, [it] highlights the need to effectively manage the security of critical national infrastructure,” he said in an email to Threatpost.
Nasser Fattah, North America steering committee chair for third-party risk-management firm Shared Assessments, shared Daniels’ assessment. “Indeed, the incident demonstrates |that attacking common consumer goods, like gas, can quickly have an immediate impact on the economy,” he observed.
“Think of delivery trucks, due to shortage of gas, now cannot deliver goods to the market,” he said in an email to Threatpost. “Such cyberattacks can also have a ripple effect in society that can lead to riots and mayhem.”
Given this potential and the fallout already seen from some high-profile attacks recently – including May’s attack on Colonial Pipeline and several recent attacks on food distribution companies – critical infrastructure appears to be more vulnerable than enterprise networks, added another security expert. Namely, it highlights a pressing need to shore up critical infrastructure security, said Saryu Nayyar, CEO of security firm Gurucul.
“Just as traditional organizations have taken steps to protect themselves against hackers, infrastructure providers such as pipeline operators and critical service providers have to take similar actions,” she said in an email to Threatpost.
This securing of critical infrastructure is especially important as its operation – like so much else in the world’s socio-economic landscape – is becoming increasingly dependent on digital protocols that are easy to compromise and under persistent attack, added Doug Britton, CEO of cybersecurity aptitude testing firm Haystack Solutions.
Check out our free upcoming live and on-demand online town halls – unique, dynamic discussions with cybersecurity experts and the Threatpost community.