Iran-linked crew used custom 'cyberweapon' in US critical infrastructure attacks

An Iranian government-linked cybercriminal crew used custom malware called IOCONTROL to attack and remotely control US and Israel-based water and fuel management systems, according to security researchers.

While IOCONTROL is a custom-built backdoor for hijacking IoT devices, it also has a "direct impact" on operational technology (OT) including fuel pumps used in gas stations, according to Claroty's Team82.

The threat intel group analyzed a sample deployed on a Gasboy fuel management system during an attack attributed to CyberAv3ngers, an Islamic Revolutionary Guard Corps (IRGC)-affiliated group. The malware was embedded in Gasboy's Payment Terminal, called OrPT, which means that the attackers could have fully shut down fuel services and potentially stolen customers' payment information, or so we're told.

"We've assessed that IOCONTROL is a cyberweapon used by a nation-state to attack civilian critical infrastructure," Team82 asserted in a December 10 report. 

Affected devices include routers, programmable logic controllers (PLCs), human-machine interfaces (HMIs), firewalls, and other Linux-based IoT/OT platforms made by Baicells, D-Link, Hikvision, Red Lion, Orpak, Phoenix Contact, Teltonika, Unitronics, and other vendors.

The FBI and other federal agencies last December blamed CyberAv3ngers for "multiple" attacks against Unitronics PLCs used in water and other critical infrastructure systems across the US. At the time, the Feds only mentioned the crew was targeting Israel-made devices in US facilities.

Team82's research suggests the scope extended beyond that. One of the attacks compromised "several hundred" fuel management devices made by Orpak Systems and Gasboy in America and Israel, according to the security shop. Orpak gear is made in Israel, while Gasboy is made in the US. 

• US warns Iranian terrorist crew broke into 'multiple' US water facilities
• Uncle Sam probes cyberattack on Pennsylvania water system by suspected Iranian crew
• Feds charge 3 Iranians with 'hack-and-leak' of Trump 2024 campaign
• Iran's Pioneer Kitten hits US networks via buggy Check Point, Palo Alto gear

Cyberav3ngers previously bragged on its Telegram channel about attacking 200 gas stations in Israel and the US by targeting Orpak systems. 

While this particular wave of attacks spanned mid-October 2023 to late January 2024, the IOCONTROL sample that Team82 obtained from VirusTotal indicated that the Iranian gang launched another campaign in July and August that hit multiple IoT and Supervisory Control and Data Acquisition (SCADA) systems.

The malware uses the MQTT IoT messaging protocol for communications. This apparently makes it easier for the attackers to disguise malicious traffic to and from their command-and-control (C2) infrastructure. 

It also uses Cloudflare's DNS over HTTPS (DoH) service to translate hostnames into an IP addresses, which also helps the attackers evade detection. Instead of sending a clear-text DNS request, "they used an encrypted protocol (HTTPS), meaning that even if a network tap exists, the traffic is encrypted so they won't be discovered," Team82 wrote.

Before connecting to the C2 infrastructure to receive its instructions, IOCONTROL drops a backdoor on the infected device, allowing its masterminds to maintain control over the equipment. Commands that can be issued to the malware include arbitrary code execution, self-delete, and port scan, among others.

"This functionality is enough to control remote IoT devices and perform lateral movement if needed," the researchers noted. ®