Full Report
The apparent cyberattack comes as Israel and Iran engage in a days-long escalating military conflict.
Analysis Summary
# Incident Report: Alleged Disruption of Iranian Bank Sepah by Hacktivist Group
## Executive Summary
The pro-Israel hacktivist group Predatory Sparrow (also known as Gonjeshke Darande) claimed responsibility for a cyberattack targeting Iran’s Bank Sepah, alleging the bank was financing the Iranian regime's military and missile programs. The alleged incident resulted in widespread banking disruptions across Iran, including branch closures and customer access failures. The full scope and technical verification of the attack remain unconfirmed by independent sources or the targeted bank.
## Incident Details
- Discovery Date: June 17, 2025 (Date of claims/reports of disruption)
- Incident Date: On or around June 17, 2025
- Affected Organization: Bank Sepah (Iran)
- Sector: Finance/Banking
- Geography: Iran
## Timeline of Events
### Initial Access
- Date/Time: Not specified in detail, alleged attack occurred prior to June 17, 2025.
- Vector: Unspecified cyberattack. Predatory Sparrow claimed to have "destroyed data."
- Details: The attack was allegedly aimed at Bank Sepah, which the group accused of circumventing international sanctions to fund the Islamic Revolutionary Guard Corps (IRGC).
### Lateral Movement
- Details: No specific details on lateral movement were provided, implied to be internal to the bank's systems to achieve data destruction.
### Data Exfiltration/Impact
- Details: The primary claimed impact was the *destruction of data* at Bank Sepah. Reports indicated widespread banking disruptions, branch closures, and customers being unable to access accounts or use ATMs displaying error messages.
### Detection & Response
- Details: The incident was discovered through reports of "widespread banking disruptions" across Iran, reported by independent news organizations (Iran International, i24NEWS). Response actions by the bank are not detailed, though some branches were reportedly closed.
## Attack Methodology
- Initial Access: Claimed cyberattack (Method details unknown).
- Persistence: Unknown.
- Privilege Escalation: Unknown.
- Defense Evasion: Unknown.
- Credential Access: Unknown.
- Discovery: Unknown.
- Lateral Movement: Unknown.
- Collection: Data destruction was the stated goal, rather than standard data collection/exfiltration.
- Exfiltration: Not the primary focus; data destruction was asserted.
- Impact: Denial of service/data destruction leading to operational failure of banking services.
## Impact Assessment
- Financial: Unspecified, but disruption to a major national bank suggests significant financial implications for customers and operations.
- Data Breach: Claimed data destruction, contents unknown.
- Operational: Widespread banking disruptions reported across Iran; several Bank Sepah branches closed; ATM functionality severely impaired.
- Reputational: Negative impact on the perceived security and stability of Bank Sepah and the national banking infrastructure.
## Indicators of Compromise
- Network indicators: None disclosed (URLs/IPs not provided in source).
- File indicators: None disclosed.
- Behavioral indicators: Disruption of banking services, ATM error messages.
## Response Actions
- Containment measures: Some Bank Sepah branches were reportedly closed.
- Eradication steps: Not detailed.
- Recovery actions: Customers were unable to access accounts; recovery status unknown.
## Lessons Learned
- Key takeaways: Financially critical infrastructure remains a target for geopolitical hacktivism, motivated by regional conflicts.
- What could have been done better: Standard banking resilience and data backup/recovery measures were presumably tested by this event, though specifics are unknown.
## Recommendations
- Prevention measures for similar incidents: Enhanced focus on securing core financial systems against data destruction/manipulation, robust offline and immutable backups, and enhanced anomaly detection within banking transaction systems.