Penelope Iroko Table of Contents
The Iranian threat group CyberAv3ngers has been using custom-built malware called IOCONTROL malware to target critical IoT (Internet of Things) and OT (Operational Technology) devices in both the U.S. and Israel.
According to cybersecurity firm Claroty, this malicious activity highlights the increasing threat of state-sponsored cyberattacks aimed at compromising essential infrastructure in key regions.
The IOCONTROL malware is linked to Iran’s Islamic Revolutionary Guard Corps (IRGC) and has been used to breach industrial control systems, causing significant disruptions, including incidents at water utilities and gas stations.
CyberAv3ngers and IOCONTROL Malware
The group CyberAv3ngers has been identified by the U.S. government and cybersecurity researchers as operating under Iran’s IRGC.
Their IOCONTROL malware targets operational technology (OT) systems like SCADA systems, PLCs (Programmable Logic Controllers), IP cameras, routers, and firewalls.
This malware has been linked to attacks on industrial facilities and IoT devices in both the U.S. and Israel, with notable incidents at critical infrastructure such as water utilities and gas stations.
| Type of Device Targeted | Description |
|---|---|
| SCADA Systems | Supervisory Control and Data Acquisition systems, often vulnerable due to remote access and exposed internet connections. |
| PLCs | Used in industrial control systems, prone to exploitation if not properly secured. |
| IoT Devices | Internet-connected devices like cameras, routers, and sensors. |
| Gas Station Equipment | Systems such as gas pumps, particularly those linked to Orpak Systems. |
Claroty, a cybersecurity research firm, has traced IOCONTROL malware to CyberAv3ngers, noting its use of a generic IoT/OT malware framework tailored for Linux-based systems.
The malware communicates via the MQTT protocol, enabling attackers to execute commands, perform port scans, and control compromised devices remotely.
Real-Life Example
A striking example of these tactics occurred in mid-October 2023 when CyberAv3ngers disrupted 200 gas pumps in Israel using IOCONTROL malware.
These pumps were part of systems provided by Orpak Systems, a major player in the gas station solutions sector. The attacks caused fuel shortages and impacted several gas stations for days.
IOCONTROL Malware in Action
The IOCONTROL malware targets a range of devices, including those used in industrial control systems and IoT networks.
The attackers behind CyberAv3ngers compile different versions of IOCONTROL, designed to exploit specific systems.
This custom-built malware framework gives them access to critical infrastructure, such as water utilities and gas stations, enabling lateral movement within networks to compromise further systems.
In addition to disrupting gas stations in Israel, CyberAv3ngers targeted water utilities in both the U.S. and Ireland.
These attacks have demonstrated how weak security practices and exposed OT devices make essential infrastructure vulnerable to such threats.
Security Risks and Recommendations
The targeting of IoT and OT devices with IOCONTROL highlights the need for organizations to strengthen their cybersecurity defenses. Key measures include:
- Segmentation and Isolation: Separating critical systems from the broader network reduces the risk of lateral movement by attackers.
- Patch Management and Updates: Keeping IoT and OT systems up to date with the latest security patches helps protect against known vulnerabilities.
- Multi-Factor Authentication (MFA): Implementing MFA adds an extra layer of security to IoT and OT devices.
- Network Monitoring and Intrusion Detection Systems (IDS): Constant monitoring helps identify and respond to suspicious activity in real-time.
Rounding Up
The Iranian group CyberAv3ngers continues to pose a significant threat to critical infrastructure in the U.S. and Israel through the use of IOCONTROL malware.
Organizations must adopt best practices for securing IoT and OT devices to prevent future attacks.
By implementing stronger cybersecurity measures, businesses can mitigate the risks posed by state-sponsored hackers targeting operational systems.
About Claroty
Claroty is a cybersecurity firm specializing in industrial control system (ICS) security, providing threat detection and response solutions to protect OT environments. For more information, visit their website.
FAQs
What is IOCONTROL malware?
IOCONTROL is a custom-built malware framework used by Iranian threat group CyberAv3ngers to target IoT and OT devices, including industrial control systems, routers, and other critical infrastructure.
How did CyberAv3ngers use IOCONTROL malware?
CyberAv3ngers used IOCONTROL malware to disrupt IoT and OT systems, including water utilities and gas stations in the U.S. and Israel, exploiting exposed networks and default credentials.
What is the role of Iran’s IRGC in these cyberattacks?
A: The U.S. government and cybersecurity researchers have linked CyberAv3ngers to Iran’s IRGC, attributing state-sponsored cyber activities to this group, particularly targeting critical infrastructure using IOCONTROL malware.
