Iran "attacks US critical infrastructure with new cyberweapon"
Gas stations and water supplies hit by IOCONTROL, a nation-state digital weapon designed to disrupt critical systems.
An Iran-linked threat actor has attacked critical national infrastructure (CNI) in the US with a new "cyberweapon", researchers have reported.
Claroty's threat research group Team 82 uncovered evidence indicating that CyberAv3ngers is behind attacks on several targets across America and Israel, including water supplies and gas stations.
This group is believed to be part of the Islamic Revolutionary Guard Corps Cyber Electronic Command (IRGC-CEC) and has "been vocal on Telegram", where it shares screenshots and other information about the compromises of these fuel systems.
"The attacks are another extension of the geopolitical conflict between Israel and Iran," Claroty warned.
Investigators also obtained a sample of a tool called IOCONTROL, which is a "cyberweapon used by a nation-state to attack civilian critical infrastructure".
This digital howitzer can be used to attack IoT and SCADA/OT devices, including IP cameras, routers, PLCs, HMIs, firewalls, and more. Read the full report to find out which companies' products might be affected (we're a small and legally cautious publication so do not make claims about the veracity of material at that link).
What is the IOCONTROL Malware?
IOCONTROL is believed to be "part of a global cyber operation against western IoT and operational technology (OT) devices".
Affected devices include routers, programmable logic controllers (PLCs), human-machine interfaces (HMIs), and other Linux-based IoT/OT platforms. While the malware is believed to be custom-built, it is modular and generic enough to run on a variety of platforms from different vendors.
"Team82 has analyzed a malware sample extracted from a fuel management system that was allegedly compromised by a threat actor group linked to Iran known as the CyberAv3ngers, which is also believed to be responsible for the Unitronics attack last fall," Claroty wrote.
The IOCONTROL malware targets embedded Linux-based IoT and SCADA devices, including fuel control systems. It establishes secure communication with a command-and-control (C2) server via MQTT and supports functions like code execution, self-deletion, and port scanning.
With persistence mechanisms and stealth techniques, such as modified UPX packing and DNS over HTTPS, the malware is adept at evading detection. It has been used to compromise various devices across multiple vendors, highlighting its adaptability and threat to industrial systems.
The malware is "essentially custom built" for IoT devices but also impacts OT such as gas station fuel pumps.
In February, the U.S. Department of the Treasury announced sanctions against six IRGC-CEC officials linked to the CyberAv3ngers and offered a $10 million USD bounty for information leading to the identification or location of anyone involved in the attacks.
"The CyberAv3ngers, meanwhile, have implicitly stated they will continue to target Israel-made technology in critical infrastructure," Claroty warned. "In October 2023, water treatment facilities in the U.S. and Israel were attacked by the group.
The hackers targeted PLC/HMI devices inside these facilities, defacing OT systems. The BeaverCountain, a local newspaper, reported that they took "partial control" of a pump in a system that provides water to two townships: Racoon and Potter.
"The attacks were likely projections of power from the CyberAv3ngers, demonstrating their access to the devices and hoping to instill fear regarding the quality of water in affected areas," Claroty wrote.
Have you got a story to share? Get in touch and let us know.
