- Cybersecurity researchersuncoer new piece of malware called IOCONTROL
- It targets IoT devices in critical infrastructure organizations
- IOCONTROL is modular, and capable of targeting devices from multiple manufacturers
American and Israeli critical infrastructure is being targeted by a dangerous new piece of malware, and the culprits seem to be Iranian.
Cybersecurity researchers Claroty obtained a sample of the malware, called IOCONTROL, from a compromised industrial system, and analyzed it.
An Iranian state-sponsored group known as CyberAv3ngers is suspected of having built and deployed IOCONTROL – and while it is not known by which methods the hackers managed to infect their victims with IOCONTROL, the targets seem to be Internet of Things (IoT) devices and OT/SCADA systems used in critical infrastructure organizations in above-mentioned countries.
Modular malware
The devices mostly targeted are routers, programmable logic controllers (PLC), human-machine interfaces (HMI), IP cameras, firewalls, and fuel management systems. In fact, it was a Gasboy fuel management system – the device’s payment terminal (OrPT) – from which a sample was extracted to begin with.
Claroty says the malware is modular, and can be used for data exfiltration, and possibly even service disruption. Some of the commands supported include exfiltrating detailed system information, running arbitrary OS commands, and scanning specified IP ranges and ports for other potential targets. The malware can apparently control pumps, payment terminals, and other peripherals.
IOCONTROL can be installed on D-Link, Hikvision, Baicells, Red Lion, Orpak, Phoenix Contact, Teltonika, and Unitronics gear, it was added.
While the exact number of victims isn’t known, CyberAv3ngers told their followers on Telegram that they compromised 200 gas stations in Israel and the US, and Claroty believes the group isn’t exaggerating. The majority of the attacks happened late in 2023, although the researchers did spot new campaigns in mid-2024.
Iran’s state-sponsored threat actors are among the most active in the global cyber threat landscape, focusing on espionage, sabotage, and disinformation campaigns. Some of the most notable ones are APT33 (AKA Refined Kitten), APT34 (OilRig/Helix Kitten), MuddyWater (Static Kitten/Seedworm), and Charming Kitten (APT35/Phosphorus).
Via BleepingComputer