Iran-Linked Cyber Attack Targets US and Israeli Infrastructure with IOCONTROL Malware Iranian threat actors, identified by Claroty’s Team82, have leveraged a sophisticated piece of malware, known as IOCONTROL, to target Internet of Things (IoT) and Operational Technology (OT) systems within critical infrastructure in the United States and Israel.

Cyber Weapon Development

Experts have attributed this attack to CyberAv3ngers, a group believed to operate under the Iranian Islamic Revolutionary Guard Corps Cyber Electronic Command (IRGC-CEC). The malware appears to have been developed with the intent of targeting civilian essential services, a move tied to geopolitical tensions.

Technical Capabilities of IOCONTROL

IOCONTROL stands out due to its modular structure, enabling it to operate across various platforms from multiple vendors. It impacts a diverse range of devices like IP cameras, routers, PLCs, human-machine interfaces (HMIs), and firewalls. Key manufacturers affected include Baicells, D-Link, Hikvision, Red Lion, Orpak, Phoenix Contact, Teltonika, and Unitronics. In recent campaigns, several hundred Orpak Systems in Israel and Gasboy fuel management systems in the US were compromised. Iranian attackers claim to have disrupted services at 200 gas stations across both countries starting late 2023—a timeframe that aligns with other industrial security incidents—and the threat persisted into mid-2024 without detection by VirusTotal's antivirus services.

Attack Details and Persistence Mechanics

Researchers obtained a sample of the malware from an Orpak-connected Gasboy fuel management system but are yet to establish the exact deployment method. IOCONTROL was found embedded within the Gasboy Payment Terminal (OrPT), providing attackers the capability to halt fuel services and potentially exfiltrate credit card data. For persistence, IOCONTROL installs a backdoor that maintains communication with its command-and-control (C2) server via the MQTT protocol. This connection, established on port 8883, integrates unique device IDs within its credentials. Additionally, the malware employs DNS over HTTPS (DoH) for evading network surveillance and uses AES-256-CBC for configuration encryption.

Known IOCONTROL Commands

The malware supports several commands:

Opcode 0: Resend a hello message with device details over MQTT.

Opcode 1: Verify malware installation and executable status, publishing a confirmation string.

Opcode 12: Execute arbitrary OS commands and publish the results.

Opcode 18: Conduct IP range port scans, publishing the results.

The report emphasizes that IOCONTROL acts as a sophisticated cyberweapon in a wider campaign targeting Western IoT and OT devices. The implications for critical infrastructure security are profound, underscoring the advanced capabilities and persistent nature of state-sponsored cyber threats.

For further insights and a complete list of indicators of compromise, follow Claroty’s ongoing updates.

The link has been copied!