Iran-linked malware targets critical infrastructure in USA, Israel

Claroty's research arm, Team82, has uncovered a sophisticated malware called IOCONTROL, attributed to Iran-affiliated attackers, which targets IoT and OT devices in Israel and the United States.

IOCONTROL has been reportedly deployed against a range of IoT and SCADA/OT devices, including IP cameras, routers, PLCs, HMIs, and firewalls. This affects various vendors such as Baicells, D-Link, Hikvision, Red Lion, Orpak, Phoenix Contact, Teltonika, and Unitronics. According to Claroty, this malware functions as a cyberweapon used by a nation-state to attack civilian critical infrastructure.

The analysis conducted by Team82 delves deeply into the advanced capabilities of IOCONTROL and its unique communication pathways to the attackers' command-and-control (C2) infrastructure. The malware's modular configuration allows it to operate across a variety of platforms, suggesting its custom-built nature while retaining a generic functionality.

Claroty's research highlights the involvement of a group known as the CyberAv3ngers, linked to Iran, in a series of attacks believed to be part of a broader cyber operation against Western IoT and OT devices. One notable instance involved the compromise of multiple Israel-made Orpak Systems and U.S.-made Gasboy fuel management systems in both nations.

These incidents are seen as an extension of the geopolitical tensions between Israel and Iran, with CyberAv3ngers suspected to be linked to the Islamic Revolutionary Guard Corps Cyber Electronic Command (IRGC-CEC). The group has publicly shared details of these breaches on platforms like Telegram.

In response to these actions, the U.S. Department of the Treasury in February imposed sanctions on six IRGC-CEC officials connected to the CyberAv3ngers and announced a USD $10 million bounty for information that could lead to identifying or locating individuals involved in these cyber activities.

Technical analysis of IOCONTROL, which was extracted from compromised fuel management systems, showed the malware leverages the MQTT protocol for secure communication with the attacker's infrastructure. This protocol allows disguised traffic to and from the C2 infrastructure, underscoring its strategic design as a cyber weapon targeting civilian critical infrastructure.

Further investigations revealed past incidents, such as attacks on water treatment facilities in the U.S. and Israel in October 2023. These attacks, involving Unitronics Vision series PLC/HMI devices, reportedly led to defacement of operational technology devices, likely serving as an intimidation tactic.

The IOCONTROL malware framework has been described as being embedded in Linux-based devices, enabling basic commands including arbitrary code execution and port scanning, allowing for remote control and potential lateral movement across systems.

The malware also employs a persistence mechanism, including a daemon installation, and incorporates stealth strategies such as modified UPX packing. It uses DNS over HTTPS to obscure its C2 infrastructure, further complicating detection efforts.

The emergence of IOCONTROL highlights the escalating use of cyber tools in state-sponsored attacks, specifically targeting critical infrastructure and reflecting broader geopolitical conflicts. The strategy adopted by attackers to exploit vulnerabilities in IoT and OT environments underscores the need for heightened cybersecurity measures in these domains.