Main Menu
,

New IOCONTROL Malware Threatens Critical Infrastructure in Israel and the US

Iranian-linked hackers are using the newly discovered IOCONTROL malware to target critical infrastructure in Israel and the US, compromising IoT devices and SCADA systems. The modular malware poses a significant threat.
Facebook Twitter Youtube Linkedin
New IOCONTROL Malware Threatens Critical Infrastructure in Israel and the US
Table of Contents
    Add a header to begin generating the table of contents

    New IOCONTROL Malware Targets Critical Infrastructure in Israel and the US

    Iranian threat actors are leveraging a sophisticated new piece of malware, dubbed IOCONTROL, to compromise critical infrastructure in both Israel and the United States. This alarming development highlights the growing threat posed by nation-state actors targeting industrial control systems (ICS) and operational technology (OT) networks.

    The IOCONTROL Malware: Capabilities and Targets

    The IOCONTROL malware, discovered and analyzed by Claroty’s Team82 researchers, demonstrates a high level of sophistication and adaptability. Its modular design allows it to infect a wide range of devices from various manufacturers, including prominent names such as D-Link, Hikvision, Baicells, Red Lion, Orpak, Phoenix Contact, Teltonika, and Unitronics. Targeted devices include routers, programmable logic controllers (PLCs), human-machine interfaces (HMIs), IP cameras, firewalls, and even fuel management systems like those from Orpak and Gasboy.

    The malware’s ability to infect such a diverse range of devices underscores the potential for widespread disruption. Researchers have observed IOCONTROL being used to control pumps, payment terminals, and other peripheral systems within targeted infrastructure, leading to potential data theft or significant operational disruptions.

    Modus Operandi and Attribution

    While the precise infection vector remains unknown, Claroty researchers extracted IOCONTROL samples from a Gasboy fuel control system’s payment terminal. The malware uses a persistence script (S93InitSystemd.sh) to ensure its continued execution even after a device reboot. It communicates with its command-and-control (C2) server via the MQTT protocol (port 8883), using unique device IDs embedded in the MQTT credentials for enhanced control. To evade detection, IOCONTROL employs DNS over HTTPS (DoH) for C2 domain resolution and encrypts its configuration using AES-256-CBC.

    Attribution points strongly towards an Iranian hacking group known as CyberAv3ngers, who have a history of targeting industrial systems. Interestingly, OpenAI recently reported that this group utilizes ChatGPT to assist in cracking PLCs, developing custom exploit scripts (bash and Python), and planning post-compromise activities. This highlights the increasingly sophisticated methods employed by these threat actors.

    The Scale of the Attacks

    Claims on Telegram suggest that the threat actors compromised approximately 200 gas stations in both Israel and the US. This aligns with Claroty’s findings and indicates a significant scale of operation. These attacks, initially observed in late 2023, alongside the defacement of Unitronics Vision PLC/HMI devices in water treatment facilities, have continued into mid-2024, demonstrating the ongoing nature of this threat. As of December 10th, 2024, the UPX-packed IOCONTROL malware binary was undetected by any of the 66 antivirus engines on VirusTotal.

    IOCONTROL Malware Commands

    The IOCONTROL malware supports a range of commands, all executed using system calls dynamically retrieved from the libc library:

    • Send “hello”: Reports detailed system information to the C2 server.
    • Check exec: Verifies proper installation and executability of the malware.
    • Execute command: Executes arbitrary OS commands and reports the output.
    • Self-delete: Removes its own files and logs to hinder detection.
    • Port scan: Scans IP ranges and ports to identify other potential targets.

    Mitigation and Defense

    Given the critical infrastructure targets and the persistent activity of the threat actors, Claroty’s report serves as a crucial resource for defenders. The report includes a comprehensive list of indicators of compromise (IoCs) to aid in detection and mitigation efforts. Organizations operating critical infrastructure should prioritize robust cybersecurity measures, including regular patching, network segmentation, and advanced threat detection systems, to protect against IOCONTROL and similar threats. The use of multi-factor authentication (MFA) and strong password policies is also crucial.

    The emergence of IOCONTROL malware represents a significant escalation in the cyber threat landscape. Its modular design, ability to target a wide range of devices, and association with a known state-sponsored actor highlight the need for increased vigilance and proactive security measures to protect critical infrastructure from these sophisticated attacks. The ongoing nature of these attacks underscores the importance of continuous monitoring and rapid response capabilities.

    Trending
    This Week In Cybersecurity: 9th December to 13th December
    Byte Federal Data Breach Exposes Sensitive Information of 58,000 Users
    AWS Cyberattack Exposes Sensitive Data of Customers: Stolen Credentials Found in Plain Sight
    EagleMsgSpy Spyware Used by Chinese Police
    Data Breach Exposes 765,000 Senior Dating Website Users
    Krispy Kreme Cyberattack Disrupts Online Orders, Impacts US Operations
    Ransomware Attack Cripples Leading Heart Surgery Device Maker, Artivion
    Equifax Data Breach Settlement Update Payments, Eligibility, and Identity Theft Recovery
    Children’s Hospital Colorado Hit with $500,000 Fine for HIPAA Violation Following Data Breach
    Amergis Healthcare Staffing Data Breach: Compromised Email Accounts Expose Sensitive Consumer Information

    Daily Briefing Newsletter

    Subscribe to the Daily Security Review Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

    Related Posts
    Cleo Data Theft: Clop Ransomware Gang Takes Credit for Attack

    Cleo Data Theft: Clop Ransomware Gang Takes Credit for Attack

    Rhode Island RIBridges Data Breach: Ransomware Attack Poses Imminent Data Leak Threat

    Rhode Island RIBridges Data Breach: Ransomware Attack Poses Imminent Data Leak Threat

    390,000 WordPress Accounts Hacked by MUT-1244 in Supply Chain Attack

    390,000 WordPress Accounts Hacked by MUT-1244 in Supply Chain Attack

    This Week In Cybersecurity: 9th December to 13th December

    This Week In Cybersecurity: 9th December to 13th December

    Byte Federal Data Breach Exposes Sensitive Information of 58,000 Users

    Byte Federal Data Breach Exposes Sensitive Information of 58,000 Users

    AWS Cyberattack Exposes Sensitive Data of Customers: Stolen Credentials Found in Plain Sight

    AWS Cyberattack Exposes Sensitive Data of Customers: Stolen Credentials Found in Plain Sight