In this blog series, we are spotlighting and diving deeper into one of the stories we share each week in our cybersecurity newsletter, Beacon.
In August 2024, Iran was hit by a cyberattack that severely disrupted its banking system, leading to the payment of a significant ransom to restore services. The attackers, believed to be from the IRLeaks group, targeted Tosan, a digital infrastructure provider that supports a large portion of Iran’s banking sector.
Officials say IRLeaks, which has a history of hacking Iranian companies, was likely behind the breach. The hackers are said to have initially threatened to sell the data they collected, which included the personal account and credit card data of millions of Iranians, on the dark web unless they received $10 million in cryptocurrency. Up to 20 banks were affected by the breach, which initially saw a ransom demand of $10 million in cryptocurrency, though the final sum negotiated was just over $3 million. Despite the lower ransom, the incident revealed how unprepared many infrastructures are in the face of a well-coordinated cyberattack.
Tosan’s role as the provider of banking solutions in Iran indicates the huge impact of this attack. Supply chain security is really important, and organizations are relying on their suppliers to keep their sensitive information safe. So, by infiltrating a single platform, hackers gained access to multiple financial institutions at once, demonstrating how centralization of critical services can become a point of vulnerability.
Iran has already experienced significant cyberattacks in recent years. In December 2023, IRLeaks claimed responsibility for another major breach, this time targeting nearly two dozen Iranian insurance companies. The group reportedly stole sensitive customer data from these companies, adding to a series of attacks that highlight the country’s ongoing cyber vulnerabilities. IRLeaks also claimed to have hacked Snapp Food, a popular Iranian food delivery service, further showcasing their ability to disrupt key sectors of the Iranian economy.
Iran did not officially acknowledge the cyberattack, despite banks being forced to shut down cash machines nationwide. The breach was reported by opposition news outlet Iran International, but neither the identity of the suspected hackers nor the details of the ransom demands were publicly disclosed.
It’s worth noting the geopolitical context in which this attack occurred. With Iran being in conflict with multiple global powers, cyberattacks on its critical infrastructure are not without precedent. However, this specific attack illustrates the increasing sophistication of cybercriminals who are not only capable of crippling large national systems but also forcing governments to meet their financial demands. This trend of ransomware attacks is becoming a national security issue for countries around the world, especially as reliance on digital technology grows.
In the larger context of cybersecurity, this incident highlights the importance of strengthening critical infrastructure against cyber threats, particularly in sectors like banking, healthcare, and energy. This attack suggests that non-state actors and hackers, driven by financial motivation, are now playing a role in global cyber conflict.
This attack has exposed the nation’s vulnerabilities and raised further questions about how countries similar to Iran will handle future cyberattacks. This incident should be a reminder to governments worldwide that cyberattacks can have devastating consequences, from financial losses to political disruption. The need for better cybersecurity defenses and threat intelligence against such threats is not just an Iranian concern, but a global one.