Full Report
Despite their hacktivist front, CyberAv3ngers is a rare state-sponsored hacker group bent on putting industrial infrastructure at risk—and has already caused global disruption.
Analysis Summary
# Threat Actor: CyberAv3ngers
## Attribution & Identity
* **Identification:** Iranian state-sponsored hacking group, allegedly operated by members of Iran's Revolutionary Guard Corps (IRGC).
* **Aliases:** Tracked by Dragos under the name **Bauxite**.
* **Associations:** Considered to be operating in the context of the broader Iran-Israel cyber conflict, sometimes engaging in tit-for-tat activities with actors like Predatory Sparrow.
## Activity Summary
CyberAv3ngers is described as Iran's most active hackers focused on Industrial Control Systems (ICS) over the last year and a half. The group gained prominence after the October 7th Hamas attack, focusing operations against Israel before expanding globally.
* **Late 2023 Campaign (Unitronics Targeting):** Gained access to over 100 devices sold by Israeli firm Unitronics (used in water/wastewater). They defaced devices by changing their names to "Gaza," displaying their logo over a sinking Star of David, and rewriting the *ladder logic* (governing code). This disrupted service at water utilities in Israel and Ireland, and a brewery near Pittsburgh.
* **Gas Station/Utility Claims (2023):** Claimed to have hacked over 200 Israeli and US gas station digital systems (limited primarily to surveillance cameras) and caused blackouts at Israeli electric utilities (a claim deemed false by security firms).
* **US Targeting (April/May 2023):** Breached a US oil and gas firm by compromising their Sophos and Fortinet security appliances.
* **IOControl Campaign (Late 2023/Recent):** Infected a wide variety of ICS and IoT devices globally using custom malware to achieve persistent access for future disruption.
## Tactics, Techniques & Procedures
* **Techniques Related to ICS/SCADA:** Directly manipulating the functional code (*ladder logic*) of industrial control systems.
* **Vandalism/Defacement:** Displaying political messages and images on compromised HMI/control panels.
* **Supply Chain Compromise:** Targeting devices manufactured by a specific nation/company ("Every Equipment ‘Made In Israel’ Is Cyber Av3ngers Legal Target!").
* **Perimeter Compromise in OT Environments:** Breaching OT networks via sophisticated vulnerability exploitation on security appliances (Sophos, Fortinet).
* **Persistent Access/Backdoor Deployment:** Creating persistent access through custom, stealthy malware planted on diverse assets.
* **Protocol Evasion:** Hiding command-and-control communications within the MQTT protocol commonly used by IoT devices.
* **Information Operations:** Spreading propaganda and exaggerating the success of their attacks (e.g., claiming power outages).
## Targeting
* **Sectors:** Industrial Control Systems (ICS), Water Utilities, Wastewater Plants, Oil & Gas, Breweries, and general IT/IoT infrastructure.
* **Geography:** Israel, United States, Ireland, Europe, and Australia.
* **Victims:** Israeli-made Unitronics ICS users, a US oil and gas firm, water utilities (in multiple countries), and a brewery near Pittsburgh.
## Tools & Infrastructure
* **Malware Families Used:** **IOControl** (a Linux-based backdoor specifically designed for ICS/IoT devices, communicating via MQTT).
* **Infrastructure (C2, domains, IPs):** The FBI neutralized the command-and-control server associated with the IOControl malware in December (specific addresses not listed in the text).
* **Exploited Vendors/Appliances:** Sophos security appliances, Fortinet security appliances.
## Implications
The group's evolution signals a shift from hacktivist messaging toward becoming a persistent, state-sponsored cybersabotage threat actor capable of causing widespread, real-world physical disruption. Their success in deploying IOControl globally indicates an intent to establish "red buttons" for future, strategically timed disruptions against critical infrastructure in the US and allied nations, moving beyond merely targeting Israel.
## Mitigations
* **Network Segmentation:** Strict segmentation between IT and operational technology (OT) environments to prevent remote intrusion into ICS.
* **Supply Chain Risk Management:** Scrutinize devices sourced from geopolitical rivals, especially in critical infrastructure.
* **Incident Response Readiness:** Develop and regularly test incident response plans specifically for PLC/ICS logic manipulation, not just traditional endpoint compromise.
* **IoT/OT Monitoring:** Implement specialized security monitoring for ICS protocols (like MQTT) to detect anomalous behavior or unauthorized software installation (like IOControl).
* **Patching/Hardening of Perimeter Devices:** Immediately patch and harden widely used security appliances (e.g., Fortinet, Sophos) used for remote access to OT networks.