rewrite this content and keep HTML tags as is:
- Card and online payments blocked
- At least four banks affected
- Experts: Aim to disrupt not destroy
A cyberattack struck several Iranian banks this week in a hack experts said was designed to cause disruption and embarrassment rather than lasting damage.
The operation affected card payments, online banking and cash dispensers at Bank Melli, Bank Saderat, Bank Tejarat and the Export Development Bank of Iran. Other lenders also reported interruptions to services.
Iranian officials said no customer data was compromised, although the outages caused problems across the country. The cyberattack was first reported on June 14 before resurfacing on Tuesday.
Suspicion has centred on Predatory Sparrow, a pro-Israel hacking group that has repeatedly targeted Iranian infrastructure.
However Professor Alan Woodward, a cybersecurity specialist at the University of Surrey in the UK, said the attack did not match the group’s modus operandi.
Its campaigns, he said, typically involve public claims of responsibility and the release of evidence intended to demonstrate links between its targets and the Islamic Revolutionary Guard Corps.
In 2022, Predatory Sparrow, known as Gonjeshke Darande in Farsi, said it had been behind a cyberattack on an Iranian steel plant that led to a major fire. Israel has never publicly acknowledged any connection to the group, but experts have linked it to the country’s security services, citing the sophistication and scale of its attacks.
Another hacking group – an Iranian anti-government collective called Black Wolves – has claimed responsibility for the mid-June attacks, according to news agency DPA.
Further reading:
Further reading:
Woodward said the operation against the banks appeared to be a “disruption campaign” rather than an attempt to destroy systems or compromise customer data.
He said the hackers had targeted a shared communications platform used by four banks rather than the institutions themselves, temporarily halting services. Outages at petrol stations were reported across the country.
The government in Tehran has not said who it suspects of orchestrating the attack, but authorities have blamed Israel for similar incidents in the past.
State-linked media said the Cyber Command of Iran had issued a statement confirming a “cyberattack on banking infrastructure”.
This week’s attack is markedly different from the one on Bank Sepah last year, when Predatory Sparrow claimed to have destroyed the bank’s data and paired the operation with a $90 million theft from Iranian cryptocurrency exchange Nobitex.
“A transient outage that the public experiences at the supermarket till is almost optimised for visibility and embarrassment rather than lasting harm,” Woodward said.
“Hitting four banks at once through a common platform shows decent target selection and produces visible nationwide friction, but services restored in days and no data loss is not a high-severity outcome by the standards of what’s been done to Iran before.”
Javvad Malik, lead security awareness advocate at US company KnowBe4, said the method suggested an organised operation. “Rather than going after each bank one by one, the attackers appear to have targeted the shared communications network connecting them.”
However, he cautioned against drawing conclusions about who was responsible.
“Before attributing it to Predatory Sparrow, analysts will want to see whether the methods match previous attacks,” he said. “Even then, attribution can never be guaranteed.”
A surge in cyberattacks
Early in the US-Israeli war with Iran, experts reported a surge in cyberattacks targeting banks, telecoms operators and government systems across the Gulf.
Asked whether the June operation could be linked to the release of frozen Iranian assets by the US, Woodward said: “The frozen-funds question operates at a completely different layer.
“Disrupting retail card processing at four commercial banks doesn’t touch the Central Bank of Iran’s ability to access or direct those external balances.”
Malik also said the bank attack was unlikely to affect access to the assets.
“Those funds are flowing through sovereign-level channels like Qatari custodial accounts, which sit a level above retail card systems,” he said.
“But if the aim is to shake confidence in Iran’s banking system, the attack does its job without needing to reach the money itself.”
Jake Moore, global cybersecurity adviser at Slovakia-based cybersecurity company ESET, said the operation was still notable because it targeted services used by millions of customers and undermined confidence.
“Disruption is just as much an attack as theft,” he said. “It can be far more significant than a relatively simple financial hit.”
