Full Report
The U.S. State Department said it is looking for information on hackers linked to Iran's Islamic Revolutionary Guard Corps.
Analysis Summary
# Threat Actor: CyberAv3ngers
## Attribution & Identity
* **Attribution:** Law enforcement agencies tied CyberAv3ngers to Iran's Islamic Revolutionary Guard Corps Cyber-Electronic Command (IRGC-CEC).
* **Known Aliases/Affiliations:** Associated with the online persona **Mr. Soul** or **Mr. Soll**. Government hackers allegedly behind the effort are also named.
## Activity Summary
CyberAv3ngers gained prominence in 2023 and 2024 for a string of cyberattacks primarily targeting water utilities in the U.S. and Israel. They have launched malicious cyber activities against U.S. critical infrastructure on behalf of the IRGC-CEC. Members have boasted about compromises on Telegram. The activity is noted to be persistent and aggressive, with potential escalation against U.S. targets due to the widening military conflict between Israel and Iran.
## Tactics, Techniques & Procedures
* **Specific TTPs:** Used malware to target Industrial Control Systems/Supervisory Control and Data Acquisition (ICS/SCADA) devices. The malware allows hackers to remotely control infected devices and move laterally within a victim’s system.
* **MITRE ATT&CK IDs:** Not explicitly mentioned in the text.
## Targeting
* **Sectors:** Critical Infrastructure, specifically Water Utilities. Also targeted Industrial Control Systems/SCADA devices.
* **Geography:** United States and Israel.
* **Victims:** Water utilities; devices from vendors including Unitronics, D-Link, Hikvision, and Baicells were reportedly attacked. A sample was analyzed from a popular gas station management system.
## Tools & Infrastructure
* **Malware Families Used:** **IOCONTROL** (also previously seen under other names).
* **Infrastructure (C2, domains, IPs):** Not explicitly detailed, though they have boasted on Telegram.
## Implications
CyberAv3ngers represents a serious threat to operational technology (OT) environments globally, particularly ICS/SCADA systems vital for critical infrastructure. The group's direct affiliation with the IRGC-CEC and the backdrop of geopolitical conflict suggest a high likelihood of increased, prioritized targeting against U.S. critical infrastructure, potentially shifting focus from espionage to destructive or disruptive operations.
## Mitigations
* No explicit, specific mitigation recommendations were provided in the source text, beyond the general focus on defending ICS/SCADA systems against the known malware.