Iranian Malware Linked to Recent Attacks on US and Israeli Infrastructure

A recent discovery has brought to light a malware sample extracted from a fuel management system, allegedly compromised by a cyber group linked to the Iranian CyberAv3ngers. This group is believed to be the same entity behind the previous year’s attacks on Unitronics devices, which targeted U.S. and Israeli water systems.

The Claroty Team82 research group reported on December 10th that the malware — identified as IOCONTROL — is part of a global cyber operation targeting a wide array of Western Internet of Things (IoT) and Operational Technology (OT) devices. These devices are commonly deployed across water systems and gas stations. The affected devices encompass a range of technology, including IP cameras, routers, programmable logic controllers, human-machine interfaces, and firewalls. Specifically, these devices are based on Linux IoT/OT platforms from various vendors, including Baicells, D-Link, Hikvision, Red Lion, Orpak, Phoenix Contact, Teltonika, and Unitronics.

Claroty suggests that the CyberAv3ngers are linked to the Islamic Revolution Guard Corps Electronic Command. The group has been notably active on Telegram, circulating screenshots and disseminating information about recent fuel system compromises.

“The use of IOCONTROL by Iranian-affiliated CyberAv3ngers highlights a calculated move to enhance the impact and adaptability of cyberattacks on critical infrastructure,” stated Callie Guenther, a senior manager for cyber threat research at Critical Start. She emphasized that the malware’s modular design allows it to target a broad spectrum of devices across various manufacturers, marking a shift from single-system malware to more extensive, cross-platform threats.

Guenther, who also columns for SC Media, noted that Iranian threat actors have historically focused on critical infrastructure, which plays a significant role in geopolitical conflicts. The activities of CyberAv3ngers are aligned with past campaigns, such as the 2020 strikes on Israel’s water systems, aimed at disrupting crucial resources through asymmetric cyber capabilities. She added that their ongoing focus on systems related to water, energy, and fuel resources demonstrates a clear intent to exploit vulnerabilities in sectors that are vital for societal stability.

John Bambenek, president at Bambenek Consulting, pointed out that while components of an IoT system are quite diverse, they often rely on various Linux flavors. This adaptability enables attackers to design malware that is universally compatible with a wide array of Linux devices while retaining enough modularity to meet specific functionality requirements for unique devices.

“The attackers are putting substantial thought and time into executing these attacks effectively and at scale, which is extremely concerning,” warned Bambenek. “Although many of these devices are useful primarily for data theft or espionage, such as network devices or IP cameras, programmable logic controllers (PLCs) serve as a bridge to influence real-world outcomes from cyberspace.”

NSA cybersecurity expert Evan Dornbush noted the attackers have taken some nontrivial steps to avoid detection, suggesting their extensive experience in cyber operations. Dornbush theorized that a seasoned attacker using the same implant universally for its targets either feels confident in evading detection or is indifferent to being discovered.

“Why should they care?” questioned Dornbush. “Even as the code is detected and signatures implemented, eliminating all infections is a daunting task. When was the last time you patched your IP camera or router? Is the average gas pump attendant updating firmware?”

Dornbush concluded by highlighting the underlying issue: “Products continue to ship with vulnerabilities, and attackers are increasingly exploiting them, leading to significant economic consequences. The cost of a cleanup operation here is substantial compared to the expense of exploitation. These attackers are likely to refine the malware further to evade future detection, establish new command-and-control infrastructures, and renew their efforts, simply because attacking is inexpensive while defending is costly.”