Researchers Discover Malware Used by Nation-Sates to Attack OT Systems

Researchers at industrial cybersecurity provider Claroty have discovered a new tool nation-state cyber threat actors use to attack civilian critical infrastructure.

Team82, Claroty’s threat intelligence research team, obtained a sample of IOCONTROL, custom-built malware that infects Internet of Things (IoT) and operational technology (OT) systems.

Team82 has assessed that IOCONTROL is part of a global cyber operation against Western IoT and OT devices.

They shared their findings in a new report published on December 10.

The malware sample was extracted from a fuel management system allegedly compromised by the CyberAv3ngers, a threat group believed to be part of Iran’s Islamic Revolutionary Guard Corps Cyber Electronic Command (IRGC-CEC). The same group is said to be responsible for the Unitronics attack in the fall of 2023. 

Upon analyzing the sample, Team82 assessed that the tool had been used to attack IoT, OT, and supervisory control and data acquisition system (SCADA) devices of various types. These devices include IP cameras, routers, programmable logic controllers (PLCs), human-machine interfaces (HMIs) and firewalls.

Some of the affected vendors include Baicells, D-Link, Hikvision, Red Lion, Orpak, Phoenix Contact, Teltonika and Unitronics.

One IOCONTROL attack campaign involved the compromise of several hundred Israel-made Orpak Systems and US-made Gasboy fuel management systems in Israel and the US.

In February, the US Department of the Treasury announced sanctions against six IRGC-CEC officials linked to the CyberAv3ngers and offered a $10m bounty for information leading to the identification or location of anyone involved in the attacks. 

While IOCONTROL is essentially custom-built for IoT devices, it is generic enough that it directly impacts various OT platforms and systems, such as the fuel pumps that are heavily used in gas stations. 

Read now: TA455’s Iranian Dream Job Campaign Targets Aerospace with Malware