Full Report
Iran-affiliated threat actors have been linked to a new custom malware that's geared toward IoT and operational technology (OT) environments in Israel and the United States. The malware has been codenamed IOCONTROL by OT cybersecurity company Claroty, highlighting its ability to attack IoT and supervisory control and data acquisition (SCADA) devices such as IP cameras, routers, programmable
Analysis Summary
# Threat Actor: Iran-Linked Actor utilizing IOCONTROL Malware
## Attribution & Identity
* **Primary Attribution:** Iran-affiliated threat actors.
* **Known Aliases/Associated Groups:** The article notes a sample of the malware was found in an environment previously compromised by the hacking group **Cyber Av3ngers**.
## Activity Summary
* The actor is deploying a new, custom malware named **IOCONTROL**.
* The malware is specifically engineered to attack IoT (Internet of Things) and OT (Operational Technology) environments, including SCADA devices.
* Activity has been observed targeting critical infrastructure in **Israel and the United States**.
* The malware was found embedded within a **Gasboy fuel management system's Payment Terminal (OrPT)**.
* The ultimate goal of the infection chain is to deploy a persistent backdoor that executes automatically upon device restart.
## Tactics, Techniques & Procedures
- The malware is custom-built but utilizes a **modular configuration** allowing it to run on a variety of vendor platforms.
- Uses the **MQTT messaging protocol** for Command and Control (C2) communication to disguise malicious traffic.
- Installs a **backdoor** that remains persistent across device restarts.
- Implied capability to disrupt fuel services and steal customer credit card information via compromise of the Gasboy/Orpak systems.
- This malware is noted as the tenth malware family specifically targeting ICS after major variants like Stuxnet and Triton.
- *No specific MITRE ATT&CK IDs were provided in the source text.*
## Targeting
* **Sectors:** Critical infrastructure, Operational Technology (OT), Industrial Control Systems (ICS), SCADA environments, Fuel management systems (Gasboy/Orpak).
* **Geography:** Israel and the United States.
* **Victims:** Specific mentions include **Gasboy fuel management systems** and **Orpak systems**. Targeting systems include IP cameras, routers, PLCs (Programmable Logic Controllers), HMIs (Human-Machine Interfaces), and firewalls (Linux-based IoT/OT platforms).
## Tools & Infrastructure
* **Malware Families Used:** **IOCONTROL** (custom malware).
* **Infrastructure (C2, domains, IPs):** The article mentions the use of the **MQTT protocol** for communications, suggesting C2 channels rely on MQTT brokers or servers.
* Defanged sample hash mentioned: `1b39f9b2b96a6586c4a11ab2fdbff8fdf16ba5a0ac7603149023d73f33b84498` (This is a file hash, not infrastructure).
## Implications
* IOCONTROL represents a significant cyberweapon likely developed or leveraged by a nation-state aimed at disrupting civilian critical infrastructure.
* The targeting of fuel management systems poses risks of operational downtime and financial fraud (credit card theft).
* The use of the MQTT protocol suggests an attempt to blend malicious communications with legitimate IoT network traffic, increasing detection difficulty.
* The cross-platform nature (modular configuration on various Linux-based IoT/OT platforms) increases the breadth of potential targets.
## Mitigations
- Implement specific monitoring and security controls for **MQTT traffic** to detect and block anomalous communications.
- Ensure segmentation and isolation of sensitive **ICS/SCADA networks** from general IT networks.
- Focus defense strategies specifically on hardening **Linux-based IoT/OT platforms, PLCs, and HMIs**.
- Review security surrounding peripheral management systems like **fuel management systems (Gasboy/Orpak)** for embedded malware persistence mechanisms.