Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

ICS/OT

Iranian Hackers Use IOCONTROL Malware to Target OT, IoT Devices in US, Israel

The Iranian threat group CyberAv3ngers has used custom-built malware named IOCONTROL to target IoT and OT devices in the US and Israel.

IOCONTROL OT/ICS/IoT malware

A notorious Iranian state-sponsored hacking group has been using custom-built malware to target IoT and operational technology (OT) devices in the United States and Israel, according to cybersecurity firm Claroty.

The malware, named IOCONTROL, has been tied by Claroty researchers to CyberAv3ngers, which claims to be a hacktivist group, but which the US government and others have linked to Iran’s Islamic Revolutionary Guard Corps (IRGC).

CyberAv3ngers has targeted industrial control systems (ICS) at water facilities in Ireland and the United States, including a water utility in Pennsylvania. In the Ireland attack, the hackers’ actions caused serious disruptions that led to the water supply being cut off for two days. 

The attacks did not involve sophisticated hacking and instead relied on the fact that many organizations leave ICS exposed to the internet and protected with default credentials that can be easily obtained.     

The US government is offering a reward of up to $10 million for information on Cyber Av3ngers, which it has described as a persona used by the Iranian government to conduct malicious cyber activities.  

According to Claroty, the IOCONTROL malware is a cyberweapon used by Iran to attack civilian critical infrastructure.

The security firm says the malware has been used to target IoT, ICS and other OT devices, including IP cameras, routers, SCADA systems, PLCs, HMIs, and firewalls from vendors such as a Baicells, D-Link, Hikvision, Red Lion, Orpak, Phoenix Contact, Teltonika, and Unitronics.

The malware is based on a generic IoT/OT malware framework designed to target embedded Linux-based devices, with the attackers compiling different versions created specifically for each type of targeted system.

Advertisement. Scroll to continue reading.

IOCONTROL uses the MQTT machine-to-machine network protocol for command and control (C&C) communications. It supports commands for executing arbitrary code and conducting port scans, enabling attackers to remotely control compromised devices and perform lateral movement. 

In October 2023, CyberAv3ngers claimed to have disrupted 200 gas pumps in Israel. The targeted devices had been using gas station solutions provided by a company named Orpak Systems.

Claroty obtained a sample of the IOCONTROL malware from a Gasboy fuel control system, which, the company says, “has close ties with Orpak Systems”. The security firm said it’s unclear how the malware had been distributed.

“While the reports about these attacks by CyberAv3ngers against Orpak devices span from mid-October 2023 to late January 2024, our team obtained a publicly available sample of IOCONTROL from VirusTotal, indicating the group relaunched their targeted campaign in July and August,” Claroty researchers said.

Claroty has shared a technical analysis of the IOCONTROL malware and its infrastructure, including indicators of compromise (IoCs). 

Related: OpenAI Says Iranian Hackers Used ChatGPT to Plan ICS Attacks

Related: FrostyGoop ICS Malware Left Ukrainian City’s Residents Without Heating

Related: Destructive ICS Malware ‘Fuxnet’ Used by Ukraine Against Russian Infrastructure

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Discover strategies for vendor selection, integration to minimize redundancies, and maximizing ROI from your cybersecurity investments. Gain actionable insights to ensure your stack is ready for tomorrow’s challenges.

Register

Dive into critical topics such as incident response, threat intelligence, and attack surface management. Learn how to align cyber resilience plans with business objectives to reduce potential impacts and secure your organization in an ever-evolving threat landscape.

Register

People on the Move

MorganFranklin Cyber has appointed Keith Hollender as CEO and member of the Board of Directors.

Lisa Banks has been named Chief Financial Officer at Abnormal Security.

Threat detection and response company Trellix has appointed Vishal Rao as its new CEO.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.