Critical infrastructure is being hit by dangerous new malware: routers, firewalls and fuel systems are all under threat
- Cybersecurity researchers have discovered a new piece of malware called IOCONTROL
- It focuses on IoT devices in organizations with critical infrastructure
- IOCONTROL is modular and can target devices from multiple manufacturers
US and Israeli critical infrastructure is being targeted by a dangerous new piece of malware, and the culprits appear to be Iranian.
Cybersecurity researchers Claroty obtained and analyzed a sample of the malware, called IOCONTROL, from a compromised industrial system.
An Iranian state-sponsored group known as CyberAv3ngers is suspected of building and deploying IOCONTROL. Although it is not known what methods the hackers used to infect their victims with IOCONTROL, the targets appear to be Internet of Things (IoT) devices. OT/SCADA systems used in critical infrastructure organizations in the above countries.
Modular malware
The most commonly targeted devices include routers, programmable logic controllers (PLC), human-machine interfaces (HMI), IP cameras, firewalls and fuel management systems. In fact, it was a Gasboy fuel management system – the device’s payment terminal (OrPT) – from which a sample was taken to begin with.
Claroty says the malware is modular and can be used for data exfiltration and possibly even service disruption. Some of the supported commands include exfiltrating detailed system information, executing arbitrary OS commands, and scanning specified IP ranges and ports for other potential targets. The malware can apparently control pumps, payment terminals and other peripherals.
IOCONTROL can be installed on equipment from D-Link, Hikvision, Baicells, Red Lion, Orpak, Phoenix Contact, Teltonika and Unitronics.
While the exact number of victims is unknown, CyberAv3ngers told their followers on Telegram that they had compromised 200 gas stations in Israel and the US, and Claroty believes the group is not exaggerating. The majority of the attacks took place in late 2023, although researchers did discover new campaigns in mid-2024.
Iran’s state-sponsored threat actors are among the most active in the global cyber threat landscape, focusing on espionage, sabotage and disinformation campaigns. Some of the most notable are APT33 (AKA Refined Kitten), APT34 (OilRig/Helix Kitten), MuddyWater (Static Kitten/Seedworm), and Charming Kitten (APT35/Phosphorus).
Via BleepingComputer
