New OT/IoT Cyberweapon

Claroty's Team82 has uncovered a sophisticated cyberweapon, dubbed IOCONTROL, employed by Iran-affiliated threat actors to target IoT and OT devices in Israel and the United States.

IOCONTROL is a custom-built malware designed to infiltrate a wide range of devices, including IP cameras, routers, programmable logic controllers (PLCs), human-machine interfaces (HMIs), and firewalls. Notably affected vendors include Baicells, D-Link, Hikvision, Red Lion, Orpak, Phoenix Contact, Teltonika, and Unitronics.

The malware operates as a Linux-based backdoor with a modular configuration, enabling it to adapt to various platforms and execute commands from its operators. It utilizes the MQTT protocol for secure communication between compromised devices and the attackers' command-and-control infrastructure, effectively disguising malicious traffic.

One significant attack involved the compromise of several hundred fuel management systems manufactured by Orpak and Gasboy in Israel and the U.S. The threat group, known as CyberAv3ngers—believed to be linked to the Islamic Revolutionary Guard Corps Cyber Electronic Command (IRGC-CEC)—claimed responsibility for these attacks, sharing evidence on their Telegram channel.

In response to these activities, the U.S. Department of the Treasury imposed sanctions on six IRGC-CEC officials associated with CyberAv3ngers and announced a $10 million bounty for information leading to their identification or location.

This discovery underscores the escalating cyber threats facing critical infrastructure sectors globally. The detailed analysis by Team82 provides valuable insights into the capabilities and methodologies of nation-state actors targeting civilian infrastructure.

For an in-depth understanding of IOCONTROL and its implications, read the full report by Claroty's Team82:

https://claroty.com/team82/research/inside-a-new-ot-iot-cyber-weapon-iocontrol

‍