Full Report
IOCONTROL, a custom-built IoT/OT malware, was used by Iran-affiliated groups to attack Israel- and US-based OT/IoT devices, according to Claroty
Analysis Summary
# Threat Actor: CyberAv3ngers (Attributed to Iran)
## Attribution & Identity
* **Primary Identification:** CyberAv3ngers.
* **Attribution:** Believed to be part of Iran’s Islamic Revolutionary Guard Corps Cyber Electronic Command (IRGC-CEC). This attribution is supported by US Department of the Treasury sanctions against six IRGC-CEC officials linked to the group, and a $10M bounty offered for information leading to the identification/location of those involved in their attacks.
## Activity Summary
* Researchers (Team82 at Claroty) discovered custom-built malware named **IOCONTROL** used by nation-state actors in a global cyber operation targeting Western IoT and OT devices.
* CyberAv3ngers is linked to the **Unitronics attack** in the fall of 2023.
* A specific campaign detailed involved the compromise of several hundred Israel-made **Orpak Systems** and US-made **Gasboy fuel management systems** in both Israel and the US.
## Tactics, Techniques & Procedures
* **Malware Usage:** Deployment of custom-built malware named **IOCONTROL**, specifically designed to infect IoT and OT systems.
* **Impact:** Directly impacts OT platforms, including devices controlling physical processes such as fuel pumps at gas stations.
* **Targeted Systems:** Affects IoT, OT, and SCADA devices including IP cameras, routers, Programmable Logic Controllers (PLCs), Human-Machine Interfaces (HMIs), and firewalls.
## Targeting
* **Sectors:** Critical Infrastructure, implied focus on energy/fuel systems (specifically fuel management systems).
* **Geography:** Israel and the US.
* **Victims:** Vendors/systems affected include Baicells, D-Link, Hikvision, Red Lion, Orpak, Phoenix Contact, Teltonika, and Unitronics. Specifically targeted victim equipment included Orpak Systems and Gasboy fuel management systems.
## Tools & Infrastructure
* **Malware Families Used:** IOCONTROL (custom-built).
* **Infrastructure (C2, domains, IPs):** Not explicitly detailed in the provided text, other than discussion observed on the CyberAv3ngers Telegram channel regarding the Orpak attack.
## Implications
* This activity demonstrates a sustained and focused nation-state effort by Iranian actors to compromise industrial control systems and IoT components integrated within critical infrastructure in adversary nations.
* The generic nature of the IOCONTROL malware suggests a broad operational reach across various vendors and potential operational impact on sectors relying on these devices (e.g., energy distribution, logistics).
## Mitigations
* Implement stringent security measures for all IoT and OT devices, including PLCs, HMIs, routers, and firewalls (vendors mentioned: Baicells, D-Link, Hikvision, Red Lion, Orpak, Phoenix Contact, Teltonika, Unitronics).
* Monitor and secure fuel management systems (Orpak, Gasboy are examples).
* Incident response plans should specifically account for successful intrusions into OT environments where malware like IOCONTROL is deployed.