Full Report
Researchers from Claroty’s Team82 arm have obtained a sample of a custom-built IoT/OT malware called IOCONTROL used by... The post Iran-linked IOCONTROL malware targets critical IoT/OT infrastructure in Israel, US appeared first on Industrial Cyber.
Analysis Summary
# Threat Actor: CyberAv3ngers (Likely Nation-State Affiliated)
## Attribution & Identity
The threat actor is strongly associated with **Iran**. They are believed to be linked to the **Islamic Revolutionary Guard Corps Cyber Electronic Command (IRGC-CEC)**. The specific custom malware identified is **IOCONTROL**. This group has also been linked to the past **Unitronics attacks**.
## Activity Summary
IOCONTROL is described as a custom-built "cyberweapon" used by a nation-state to attack civilian **Critical Infrastructure (CI)**, specifically targeting Western IoT and OT devices. A significant wave of activity involved the compromise of several hundred **Israel-made Orpak Systems** and **U.S.-made Gasboy fuel management systems** located in Israel and the United States. The attackers gained control over payment terminals, posing a risk of shutting down fuel services and stealing credit card information. The group has been vocal on Telegram regarding their compromises of these fuel systems.
## Tactics, Techniques & Procedures
- **Malware Development:** Utilizes a custom-built, modular malware framework (IOCONTROL) designed for embedded Linux-based devices, compiled specifically against targets.
- **Obfuscation/Stealth:** Employs modified **UPX packing** for the initial payload and uses **DNS over HTTPS (DoH)** to conceal Command and Control (C2) traffic.
- **Persistence:** Establishes persistence via a **daemon installation**.
- **Communication:** Communicates with C2 exclusively over a **secure MQTT channel** (a dedicated IoT communication protocol).
- **Configuration Management:** Uses an **AES-256-CBC** scheme to decrypt malware configuration data retrieved from an encrypted section, minimizing memory exposure. It derives the decryption key/IV from a stored GUID.
- **Capabilities:** Supports basic commands including arbitrary code execution, self-delete functionality, and port scanning for lateral movement.
## Targeting
- **Sectors:** Civilian **Critical Infrastructure (CI)**, specifically focusing on **Industrial Control Systems (ICS)** and **IoT/OT environments**. Specifically noted targets include **Fuel Management Systems**.
- **Geography:** **Israel** and the **United States**.
- **Victims:** Devices from vendors including **Baicells, D-Link, Hikvision, Red Lion, Orpak, Phoenix Contact, Teltonika, Unitronics, IP cameras, routers, PLCs, HMIs, and firewalls**. Specific victims mentioned were **Orpak Systems** and **Gasboy** fuel management platforms (including the OrPT payment terminal component).
## Tools & Infrastructure
- **Malware Families Used:** **IOCONTROL**
- **Infrastructure (C2, domains, IPs):** C2 communications are hidden using **DNS over HTTPS (DoH)** and utilize the **MQTT protocol** for secure communication channels.
## Implications
This actor represents a high-level, nation-state threat actively engaged in geopolitical cyber operations, extending conflict into the physical domain via operational technology. Their focus on commonly-deployed commercial IoT/OT components suggests they are leveraging supply chain access points or common vulnerabilities across multiple international critical infrastructure targets (fuel systems, water treatment systems mentioned contextually). The US Treasury has issued sanctions and a $10 million USD bounty against associated IRGC-CEC officials, underscoring the severity of the threat.
## Mitigations
- Aggressively monitor and secure all **IoT/OT devices**, including IP cameras, routers, PLCs, and HMIs, especially those running embedded Linux systems.
- Isolate or rigorously segment Operational Technology networks from enterprise networks.
- Implement Network Traffic Analysis (NTA) capable of detecting anomalies on specialized protocols like **MQTT**.
- Review system configurations for daemon installations that suggest unauthorized persistence mechanisms.
- Ensure robust encryption and access controls for fuel management systems and payment terminals.