Iran-linked Crew Used Custom 'cyberweapon' In US Critical Infrastructure Attacks

An Iranian government-linked cybercriminal crew used custom malware called IOCONTROL to attack and remotely control US and Israel-based water and fuel management systems, according to security researchers.

While IOCONTROL is a custom-built backdoor for hijacking IoT devices, it also has a "direct impact" on operational technology (OT) including fuel pumps used in gas stations, according to Claroty's Team82.

The threat intel group analyzed a sample deployed on a Gasboy fuel management system during an attack attributed to CyberAv3ngers, an Islamic Revolutionary Guard Corps (IRGC)-affiliated group. The malware was embedded in Gasboy's Payment Terminal, called OrPT, which means that the attackers could have fully shut down fuel services and potentially stolen customers' payment information, or so we're told.

"We've assessed that IOCONTROL is a cyberweapon used by a nation-state to attack civilian critical infrastructure," Team82 asserted in a December 10 report. 

Affected devices include routers, programmable logic controllers (PLCs), human-machine interfaces (HMIs), firewalls, and other Linux-based IoT/OT platforms made by Baicells, D-Link, Hikvision, Red Lion, Orpak, Phoenix Contact, Teltonika, Unitronics, and other vendors.

The FBI and other federal agencies last December blamed CyberAv3ngers for "multiple" attacks against Unitronics PLCs used in water and other critical infrastructure systems across the US. At the time, the Feds only mentioned the crew was targeting Israel-made devices in US facilities.

Team82's research suggests the scope extended beyond that. One of the attacks compromised "several hundred" fuel management devices made by Orpak Systems and Gasboy in America and Israel, according to the security shop. Orpak gear is made in Israel, while Gasboy is made in the US. 

Cyberav3ngers previously bragged on its Telegram channel about attacking 200 gas stations in Israel and the US by targeting Orpak systems. 

While this particular wave of attacks spanned mid-October 2023 to late January 2024, the IOCONTROL sample that Team82 obtained from VirusTotal indicated that the Iranian gang launched another campaign in July and August that hit multiple IoT and Supervisory Control and Data Acquisition (SCADA) systems.

The malware uses the MQTT IoT messaging protocol for communications. This apparently makes it easier for the attackers to disguise malicious traffic to and from their command-and-control (C2) infrastructure. 

It also uses Cloudflare's DNS over HTTPS (DoH) service to translate hostnames into an IP addresses, which also helps the attackers evade detection. Instead of sending a clear-text DNS request, "they used an encrypted protocol (HTTPS), meaning that even if a network tap exists, the traffic is encrypted so they won't be discovered," Team82 wrote.

Before connecting to the C2 infrastructure to receive its instructions, IOCONTROL drops a backdoor on the infected device, allowing its masterminds to maintain control over the equipment. Commands that can be issued to the malware include arbitrary code execution, self-delete, and port scan, among others.

"This functionality is enough to control remote IoT devices and perform lateral movement if needed," the researchers noted. ®

RECENT NEWS

From Chip War To Cloud War: The Next Frontier In Global Tech Competition

The global chip war, characterized by intense competition among nations and corporations for supremacy in semiconductor ... Read more

The High Stakes Of Tech Regulation: Security Risks And Market Dynamics

The influence of tech giants in the global economy continues to grow, raising crucial questions about how to balance sec... Read more

The Tyranny Of Instagram Interiors: Why It's Time To Break Free From Algorithm-Driven Aesthetics

Instagram has become a dominant force in shaping interior design trends, offering a seemingly endless stream of inspirat... Read more

The Data Crunch In AI: Strategies For Sustainability

Exploring solutions to the imminent exhaustion of internet data for AI training.As the artificial intelligence (AI) indu... Read more

Google Abandons Four-Year Effort To Remove Cookies From Chrome Browser

After four years of dedicated effort, Google has decided to abandon its plan to remove third-party cookies from its Chro... Read more

LinkedIn Embraces AI And Gamification To Drive User Engagement And Revenue

In an effort to tackle slowing revenue growth and enhance user engagement, LinkedIn is turning to artificial intelligenc... Read more