Connect with us

Hi, what are you looking for?



Leaked Files From Offensive Cyber Unit Show Iran’s Interest in Targeting ICS

Classified files leaked from Iranian offensive cyber unit

Classified files leaked from Iranian offensive cyber unit

Classified files apparently leaked from a cyber unit of the Iranian government show that Iran is looking to improve its offensive cyber capabilities, including for targeting industrial control systems (ICS).

British news outlet Sky News managed to obtain five internal reports — all marked “very confidential” — that seem to originate from the Islamic Revolutionary Guard Corps’ (IRGC) Shahid Kaveh, a secret offensive cyber unit. Specifically, they are said to come from a sub-unit of Shahid Kaveh called Intelligence Team 13.

According to Sky News, the documents total nearly 60 pages and they appear to represent intelligence collection efforts for potential cyberattack targets.

One file, dated November 2020, focuses on building management systems and mentions Schneider Electric, Honeywell, Siemens and KMC Controls as companies that provide such solutions.

These types of products have been known to be affected by many vulnerabilities that could allow hackers to take complete control of a system. Attackers could trigger alarms, lock or unlock doors and gates, intercept video surveillance streams, control elevator access, manipulate lights and HVAC systems, and disrupt operations.

In response to Sky News’ reporting, industrial cybersecurity firm Radiflow noted that building management systems are easy targets due to the fact that they are often exposed to the internet, and they are in many cases not properly secured.

“Many of these second-tier targets seem irrelevant at first,” said Ilan Barda, founder and CEO of Radiflow. “What makes them so valuable is their potential to be used as a gateway to building systems. Once inside, a hacker can manipulate air circulation units, elevators, and any other critical infrastructure to carry out physical attacks.”

Learn more about threats to industrial systems at SecurityWeek’s ICS Cyber Security Conference and SecurityWeek’s Security Summits virtual event series

Advertisement. Scroll to continue reading.

Another leaked report obtained by Sky News, dated April 2020, mentioned programmable logic controllers (PLCs) made by Germany-based WAGO. While these types of WAGO devices have been known to contain critical vulnerabilities, the authors of the report have apparently not found a way to exploit them.

The other reports, which are not dated, focus on maritime communications, fuel pumps and cargo ships. While the documents describe potentially devastating attacks against these systems — such as sinking a ship or blowing up a fuel pump at a gas station — the authors mainly relied on open source information and they did not appear to possess any advanced knowledge or capabilities.

Iran has been known to target industrial organizations. Its hackers are believed to be behind the destructive Shamoon attacks in the Middle East, and some threat groups are known to focus on ICS-related organizations.

Iranian hackers were blamed for several attacks launched on water facilities in Israel last year, and while authorities claimed that the incidents did not result in any damage, in at least one case the attackers seemed to know how to target industrial systems.

In late 2020, an Iranian group posted a video showing that they had managed to access an industrial system at a water facility in Israel, specifically a human-machine interface (HMI). However, these hackers did not appear to possess advanced capabilities or knowledge for targeting industrial systems.

In early 2020, after a U.S. airstrike had killed a senior Iranian military commander, organizations in the United States were warned that Iran could respond in cyberspace. However, many of the cybersecurity experts who spoke to SecurityWeek at the time said they did not believe Iran had the capability to cause significant damage if they were to target critical infrastructure or ICS. On the other hand, experts warn that the potential threat should not be ignored.

“Iran is looking to expand the outreach and objects of their cyber-attacks,” said Michael Langer, cyberwarfare expert and CPO of Radiflow. “Their history of disruptive cyber offensives on Saudi Arabian oil refineries and Israeli water management facilities are to be taken seriously. The Iranians mapping of BMS vulnerabilities may indicate a shift to target more easily exploitable sites. It’s time to think differently.”

Related: U.S. Government Attributes ICS Attacks to Russia, China, Iran

Related: Cyberattacks Possibly Involved in Explosions at Iranian Nuclear, Military Facilities

Related: WAGO Controller Flaws Can Allow Hackers to Disrupt Industrial Processes

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join us as we delve into the transformative potential of AI, predictive ChatGPT-like tools and automation to detect and defend against cyberattacks.


As cybersecurity breaches and incidents escalate, the cyber insurance ecosystem is undergoing rapid and transformational change.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...


WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...


A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.