A malware sample extracted from a fuel management system was allegedly compromised by a group linked to the Iranian CyberAv3ngers, the same group believed behind the attacks on Unitronics devices last fall that targeted water systems in the U.S. and Israel.
The Claroty Team82 researchers said in a Dec. 10 post that the malware — dubbed IOCONTROL — was part of a global cyber operation against a broad range of Western IoT and OT devices that are typically deployed at water systems and gas stations.
Affected devices include IP cameras, routers, programmable logic controllers, human-machine interfaces, firewalls, and other Linux-based IoT/OT platforms from the following vendors: Baicells, D-Link, Hikvision, Red Lion, Orpak, Phoenix Contact, Teltonika, and Unitronics.
According to Claroty, the CyberAv3ngers are believed to be a part of the Islamic Revolution Guard Corps Electronic Command and have been especially vocal on Telegram sharing screenshot and other information about recent compromises of fuel systems.
“The use of IOCONTROL by Iranian-affiliated CyberAv3ngers highlights a calculated move to enhance the impact and adaptability of cyberattacks on critical infrastructure,” said Callie Guenther, senior manager for cyber threat research at Critical Start. “Its modular design allows it to target a wide range of devices across manufacturers, emphasizing a shift from single-system malware to broader, cross-platform threats.”
Guenther, an SC Media columnist, said Iranian threat actors have long targeted critical infrastructure as an important component of geopolitical conflict. She said the activities of the CyberAv3ngers align with campaigns such as the 2020 attacks on Israel’s water systems, which aimed to disrupt essential resources while leveraging asymmetric cyber capabilities. Guenther added that the consistent focus on systems like water, energy, and fuel underscores the intent to exploit vulnerabilities in sectors that affect societal stability.
John Bambenek, president at Bambenek Consulting, added that while the components of an IoT system vary widely, many are built on various flavors of Linux. He said this let the attacker create something generic enough to run on a wide variety of Linux devices, but still remain modular enough to get the specific functionality they need for all of these unique devices.
“The attackers are certainly spending a lot of thought and time in how to do this right, and at scale, which is much more concerning,” said Bambenek. “While many of these devices are useful only for data theft or espionagen, etwork devices or IP cameras, for instance, PLCs are the gateway from the cyber world to create real world impacts.”
NSA cybersecurity expert Evan Dornbush, added that the authors made some modest, yet nontrivial steps to evade detection implying they aren't new to this. Dornbush said a seasoned attacker using the same implant for every one of its targets either doesn't think they are going to get caught, or doesn't care if they do.
“Why should they care?” posed Dornbush. “Even now that the code has been detected and signatured, it's an immense effort to remove all the infections. When was the last time you patched your IP camera or router? Is the average gas pump attendant flashing firmware?
And that's the big take away, said Dornbush.
“Products are still shipping vulnerable and attackers are increasingly able to exploit and have massive economic impact,” said Dornbush. “The cleanup effort here is substantial relative to the cost of exploitation. These attackers are likely to modify the implant further to evade future detection, stand up new C2, and try again, because it's cheap to be an attacker and expensive to be a defender.”
