Full Report
The U.S. Department of State is offering up to US$10 million for information on a hacker operating under... The post US offers $10 million for intel on Iran-linked hacker in ICS malware campaign against critical infrastructure appeared first on Industrial Cyber.
Analysis Summary
# Threat Actor: CyberAv3ngers (Linked to IRGC)
## Attribution & Identity
The threat actor is linked to Iran’s Islamic Revolutionary Guard Corps (IRGC), specifically the IRGC’s Cyber-Electronic Command (IRGC-CEC) and the IRGC-Quds Force. They are associated with the alias **‘Mr. Soul’** or **‘Mr. Soll’**. Six individuals have been charged in connection with this campaign, including Hamid Homayunfal, Hamid Reza Lashgarian (identified as the head of IRGC-CEC and a commander in the IRGC-Quds Force), Hamid Reza Lashgarian, Mahdi Lashgarian, Milad Mansuri, Mohammad Bagher Shirinkar, and Reza Mohammad Amin Saberian.
## Activity Summary
The group is linked to a cyber campaign deploying ICS malware against critical infrastructure globally. The U.S. Department of State is offering up to $10 million for information leading to the identification or location of members of this actor group.
## Tactics, Techniques & Procedures
- Deployment of customized malware specifically designed to compromise Industrial Control Systems (ICS) and Supervisory Control and Data Acquisition (SCADA) devices.
- Targeting of core operational technology components.
- No specific tactic/technique IDs (MITRE ATT&CK) were provided in the source text, only the impact area (ICS/SCADA compromise).
## Targeting
- Sectors: Critical Infrastructure, including industrial control systems providers/operators.
- Geography: Worldwide targets (Implied by the nature of the global deployment of the malware).
- Victims: Vendors of ICS/SCADA systems, and potentially operators of critical infrastructure. Specific organizations were not named beyond industry scope.
## Tools & Infrastructure
- Malware families used: **IOCONTROL** (described as a cyberweapon).
- Infrastructure (C2, domains, IPs): Not specified in the article.
## Implications
This actor represents a significant threat actor state-sponsored by Iran (IRGC) targeting sensitive global Industrial Control Systems. The use of specialized malware like IOCONTROL demonstrates a clear intent to disrupt or cause physical damage to operational technology environments, aligning with state-level disruptive and potentially kinetic cyber operations.
## Mitigations
- Focus security efforts on hardening ICS/SCADA devices, including routers, PLCs, HMIs, firewalls, and Linux-based IoT/OT platforms against specialized malware.
- Review security posture based on information provided by entities like CISA concerning Iranian state-sponsored activity targeting OT.