← Home·Gallery·Techniques
Threat Intelligence Tarot
wands · 1
Israel (suspected)
risk 4/5
The Arsonist
Predatory Sparrow
Gonjeshke Darande
Iranian steel plantsIranian fuel distributionIranian railway systems
Active since ~2021 · Iranian infrastructure disruption, Psychological operations, Kinetic-adjacent sabotage
It does not steal. It burns. The Arsonist targeted Iranian steel mills until the furnaces caught fire on camera, then published the footage. It disrupted fuel stations until drivers queued for miles. It is the rarest kind of cyber actor: one that makes the physical world feel the heat.
Tactics & Techniques
RCN
RDV
INI
EXC
PRS
PRV
EVA
CRD
DSC
LAT
COL
C2
EXF
IMP
T1485
Data Destruction
Impact
T1489
Service Stop
Impact
T1491.002
External Defacement
Impact
T1190
Exploit Public-Facing Application
Initial Access
T1561
Disk Wipe
Impact
Notable Operations
  • Iranian steel plant cyberattack causing physical fire (2022)
  • Iranian fuel distribution network shutdown - 4,300 stations offline
  • Iranian railway hack - fake delay messages and board disruption (2021)
  • Posted videos of ICS monitoring footage as proof of access
Defenses
  • OT/ICS network segmentation from IT networks
    ICS-CERT guidance
  • Industrial control system monitoring and anomaly detection
    NIST SP 800-82
  • Emergency shutdown procedures and physical safety interlocks
    ISA/IEC 62443
  • Supply chain and vendor access controls for ICS environments
    NIST CSF: ID.SC
Reversed: Their Weakness
Predatory Sparrow's restraint in its Iranian attacks - targeting industrial systems carefully enough to avoid mass civilian casualties while still causing economic damage - suggests an operator with both technical sophistication and strategic discipline.

Share this adversary profile

swipe to browse

← PreviousThe MarshNext →The Flood
Related Adversaries
The Wrench
Cyber Av3ngers
3 shared TTPs
The Flood
Moses Staff
2 shared TTPs
The Thousand Masks
Anonymous
2 shared TTPs
Data sourced from MITRE ATT&CK. For educational purposes.