Introduction
The discovery of IOCONTROL, a sophisticated malware developed by the CyberAv3ngers, a group linked to Iran’s Islamic Revolutionary Guard Corps Cyber Electronic Command (IRGC-CEC) [3] [6] [7], highlights the increasing threat of state-sponsored cyberattacks on critical infrastructure. This malware specifically targets Internet of Things (IoT) devices and operational technology (OT) systems [2], posing significant risks to essential services in countries like Israel and the United States.
Description
Researchers at Claroty’s Team82 have identified a sophisticated [4] [7], custom-built malware named IOCONTROL [3] [4] [6] [8], utilized by the CyberAv3ngers [3], a threat group linked to Iran’s Islamic Revolutionary Guard Corps Cyber Electronic Command (IRGC-CEC) [3] [6] [7]. This modular malware is specifically designed to target critical infrastructure, including Internet of Things (IoT) devices and operational technology (OT) systems essential for services such as electricity [2], water treatment [2] [4], and gas delivery [2]. IOCONTROL poses a significant threat to organizations in Israel and the United States, capable of compromising a variety of devices, including IP cameras [7], routers [2] [3] [5] [6] [7] [8], programmable logic controllers (PLCs) [2] [3] [5], human-machine interfaces (HMIs) [2] [3] [5], firewalls [2] [3] [5] [6] [7], and fuel management systems from vendors such as Baicells, D-Link [3] [5] [6] [7], Hikvision [3] [5] [6] [7], Red Lion [3] [5] [6] [7], Orpak [3] [5] [6] [7], Phoenix Contact [3] [6] [7], Teltonika [3] [6] [7], and Unitronics [3] [4] [6] [7].
The CyberAv3ngers have claimed to have compromised approximately 200 gas stations across both countries, a statement that Claroty considers credible [1]. A notable attack wave involved the infiltration of several hundred Orpak Systems and Gasboy fuel management systems [3] [7], particularly affecting the OrPT payment terminal and impacting fuel pumps commonly used in gas stations. The attacks began in late 2023 and continued into mid-2024, with the group also linked to attacks on water treatment facilities in Israel and the US, indicating a broader strategy targeting civilian critical infrastructure.
IOCONTROL operates on various platforms and ensures persistence by installing a backdoor on the device, which connects to a command and control (C2) infrastructure [6]. A notable persistence mechanism is implemented through a startup script named ‘S93InitSystemd.sh,’ which ensures the malware process runs upon system boot [5]. Communication with the C2 server occurs via the MQTT protocol on port 8883 [6], utilizing DNS over HTTPS (DoH) for evasion of network monitoring [2] [6], and configurations are encrypted with AES-256-CBC [2] [5]. The malware’s capabilities suggest an intent to cause widespread disruption across multiple industries [2], including executing arbitrary OS commands [1], self-deletion [5], scanning IP ranges and ports for additional targets [1], and data exfiltration [1].
The US Department of the Treasury has imposed sanctions on six IRGC-CEC officials associated with the CyberAv3ngers and has offered a $10 million reward for information on individuals involved in these attacks [3]. Experts assess IOCONTROL as a cyberweapon developed by a nation-state actor aimed at civilian critical infrastructure [6], highlighting the growing trend of state-sponsored cyber threats targeting Western IoT and operational technology devices [5]. The emergence of IOCONTROL underscores the evolving threat landscape for critical infrastructure [2], necessitating advanced threat detection capabilities and collaborative threat intelligence across industries. To mitigate the risks posed by IOCONTROL [2], organizations must prioritize robust cybersecurity measures [2], including regular patch management [2], network segmentation [2] [5], advanced network monitoring [2] [5] [6], and cybersecurity awareness training for employees [2]. Complete indicators of compromise (IoC) related to IOCONTROL are documented in the report [6], underscoring the need for organizations to adopt these strategies to safeguard against such sophisticated malware threats.
Conclusion
The emergence of IOCONTROL as a state-sponsored cyberweapon underscores the urgent need for enhanced cybersecurity measures to protect critical infrastructure. Organizations must adopt comprehensive strategies, including regular updates [2], network segmentation [2] [5], and employee training, to mitigate the risks posed by such sophisticated threats. The evolving threat landscape demands collaboration and advanced threat detection capabilities to safeguard essential services and infrastructure from future cyberattacks.
References
[1] https://www.techradar.com/pro/security/critical-infrastructure-being-hit-by-dangerous-new-malware-routers-firewalls-and-fuel-systems-all-under-threat
[2] https://undercodenews.com/cyberattacks-on-critical-infrastructure-iranian-malware-targets-iot-and-ot-systems/
[3] https://www.infosecurity-magazine.com/news/malware-nation-sate-industrial/
[4] http://staging.waterisac.org/portal/otics-threat-awareness-%E2%80%93-iocontrol-and-adroxgh0st-malware-target-critical-infrastructure
[5] https://thesecmaster.com/blog/iran-linked-hackers-deploy-sophisticated-iocontrol-malware-targeting-critical-inf
[6] https://securityaffairs.com/171980/malware/iocontrol-cyberweapon-targets-us-isreael.html
[7] https://thecyberwire.com/newsletters/daily-briefing/13/235
[8] https://cyber.vumetric.com/security-news/2024/12/13/iran-linked-iocontrol-malware-targets-scada-and-linux-based-iot-platforms/