In a concerning development, cybersecurity researchers have uncovered a new piece of malware, dubbed IOCONTROL, which has been used in attacks on critical infrastructure in the United States and Israel. The malware, believed to be linked to Iranian threat actors, targets Internet of Things (IoT) devices and Operational Technology (OT) systems, including routers, programmable logic controllers (PLCs), human-machine interfaces (HMIs), IP cameras, firewalls, and fuel management systems.
The discovery was made by researchers from Claroty’s Team82, who analyzed a sample of IOCONTROL extracted from a compromised Gasboy fuel management system. The malware is modular in nature, allowing it to adapt to various device types and manufacturers, such as D-Link, Hikvision, Baicells, Red Lion, Orpak, Phoenix Contact, Teltonika, and Unitronics.
What is IOCONTROL?
IOCONTROL is considered a cyberweapon, capable of causing significant disruptions to critical infrastructure. The malware uses the MQTT protocol for communication with its command-and-control (C2) server, making it difficult to detect malicious traffic. Additionally, it employs DNS over HTTPS (DoH) to resolve C2 domains, further evading network traffic monitoring tools.
The threat actors behind IOCONTROL, believed to be the Iranian hacking group known as CyberAv3ngers, have claimed to compromise 200 gas stations in Israel and the United States. These attacks, which began in late 2023 and continued into mid-2024, targeted fuel management systems, including Orpak and Gasboy devices. The attackers could potentially shut down fuel services and steal customers’ payment information. According to the researchers at Claroty, “IOCONTROL attack wave involved the compromise of several hundred Israel-made Orpak Systems and U.S.-made Gasboy fuel management systems in Israel and the United States.”
IOCONTROL supports a range of commands, including sending system information to the C2 server, executing arbitrary OS commands, performing port scans, and self-deleting to evade detection. The malware’s persistence mechanism ensures it remains active even after device reboots.
How IOCONTROL Attack Works?
Here’s a step-by-step explanation of how the IOCONTROL malware targets victim organizations:
- Initial Compromise: The attackers first gain access to the victim’s network, often through phishing emails, exploiting vulnerabilities in software, or using stolen credentials.
- Infection: Once inside the network, the attackers deploy the IOCONTROL malware onto IoT devices and OT systems, such as routers, PLCs, HMIs, IP cameras, firewalls, and fuel management systems.
- Persistence: The malware installs a persistence mechanism to ensure it remains active even after device reboots. This is typically done by creating scripts that execute the malware at startup.
- Communication: IOCONTROL uses the MQTT protocol to communicate with its command-and-control (C2) server. This protocol is commonly used for IoT devices, making the malicious traffic harder to detect.
- Command Execution: The malware can execute arbitrary OS commands on the infected device, allowing attackers to control the device, steal data, or disrupt services.
- Self-Deletion: To avoid detection, IOCONTROL can delete its own binaries, scripts, and logs.
- Port Scanning: The malware can perform port scans to identify other potential targets within the network.
- Data Exfiltration: The attackers can steal sensitive information, such as payment data from fuel management systems, and send it to the C2 server.
- Impact: The ultimate goal of the attack is to disrupt critical infrastructure, such as shutting down fuel services or compromising water treatment facilities.
IOCONTROL IOCS
- 159[.]100[.]6[.]69
- uuokhhfsdlk[.]tylarion867mino[.]com
- ocferda[.]com
- tylarion867mino[.]com
- 1b39f9b2b96a6586c4a11ab2fdbff8fdf16ba5a0ac7603149023d73f33b84498
- /usr/bin/iocontrol
- /etc/rc3.d/S93InitSystemd.sh
- /tmp/iocontrol
- /var/run/iocontrol.pid
IOCONTROL: An Emerging Threat To Critical Infrastructure Organizations
The discovery of IOCONTROL highlights the growing threat of cyberattacks on critical infrastructure. As geopolitical tensions continue to rise, the use of such sophisticated malware by nation-state actors poses a significant risk to national security and public safety. The researchers have called for increased vigilance and improved cybersecurity measures to protect critical systems from these types of attacks.
In response to the threat, cybersecurity experts recommend implementing robust security protocols, including regular system updates, network monitoring, and the use of advanced threat detection tools. Additionally, organizations should conduct regular security audits and employee training to ensure awareness of potential cyber threats.
The ongoing battle against cyber threats requires a collaborative effort from governments, private sector entities, and cybersecurity professionals. By staying informed and proactive, we can better protect our critical infrastructure from malicious actors seeking to exploit vulnerabilities for their gain.
As the threat landscape continues to evolve, it is crucial to remain vigilant and adapt to new challenges. The discovery of IOCONTROL serves as a stark reminder of the importance of cybersecurity in safeguarding our critical infrastructure and ensuring the safety and well-being of our communities.
Join thousands of cybersecurity professionals who trust The SOC Labs Newsletter to keep them informed, prepared, and ahead of the curve.