IoT Security / Operational Technology
A sophisticated new malware named IOCONTROL, attributed to Iran-linked threat actors, has emerged as a potent cyber threat targeting IoT and operational technology (OT) infrastructures in Israel and the United States. This malware demonstrates a focus on IoT and supervisory control and data acquisition (SCADA) systems, marking it as a significant risk to critical infrastructures.
IOCONTROL Malware Overview
According to Claroty, a leading OT cybersecurity company, IOCONTROL targets a range of devices including IP cameras, routers, programmable logic controllers (PLCs), human-machine interfaces (HMIs), firewalls, and various Linux-based IoT/OT platforms. Its modular design allows it to function across diverse vendor platforms, showcasing its versatility and adaptability.
“While the malware is believed to be custom-built by the threat actor, it is generic enough to run on a variety of platforms due to its modular configuration,” Claroty explained.''
This makes IOCONTROL the tenth malware family specifically engineered to attack Industrial Control Systems (ICS), joining a notorious list that includes Stuxnet, Havex, Industroyer, Triton, and others.
Malware Analysis and Functionality
Claroty's research traced the malware to a Gasboy fuel management system compromised by the hacking group Cyber Av3ngers. This group is known for exploiting Unitronics PLCs to breach water systems. Embedded within the Gasboy Payment Terminal (OrPT), the malware could enable threat actors to:
- Disrupt fuel services.
- Steal credit card information.
- Shut down critical infrastructure.
The infection chain culminates in the deployment of a persistent backdoor, ensuring the malware executes automatically upon device reboot. Notably, IOCONTROL leverages MQTT, a messaging protocol common in IoT devices, for secure communication. This enables it to obfuscate malicious traffic effectively.
Advanced Evasion Techniques
To evade detection, IOCONTROL employs DNS-over-HTTPS (DoH) via Cloudflare, a tactic increasingly adopted by Chinese and Russian state-sponsored groups. By encrypting DNS requests, the malware ensures its communication remains concealed, bypassing traditional monitoring tools.
Once connected to its command-and-control (C2) server, IOCONTROL transmits device-specific data, including:
- Hostname.
- Current user and device model.
- Firmware version and location.
- Timezone details.
It then awaits further commands to execute tasks such as:
- Running arbitrary operating system commands.
- Scanning IP ranges and specific ports.
- Terminating or self-deleting the malware.
Implications for Critical Infrastructure
IOCONTROL represents a significant escalation in the weaponization of malware targeting civilian infrastructure. By compromising fuel management systems and other critical OT devices, threat actors can disrupt essential services and exfiltrate sensitive data.
“The malware is essentially a cyberweapon used by a nation-state to attack civilian critical infrastructure,” Claroty emphasized, highlighting the serious implications of such attacks.
Key Takeaways
- Nation-State Threat: The custom-built IOCONTROL malware reflects the growing sophistication of cyberweapons deployed by nation-states.
- IoT and OT at Risk: The modular design underscores the need for robust security in diverse IoT and OT environments.
- Evasion Techniques: Use of MQTT and DoH demonstrates the evolving tactics to evade detection.
As industrial systems become more interconnected, defending against such advanced threats requires proactive monitoring, vulnerability management, and adherence to cybersecurity best practices.