An Iranian hacking group, identified as “CyberAv3ngers,” has developed a sophisticated custom malware named “IOControl” that targets IoT and OT infrastructures in Israel and the United States. This malware, described as a “cyber weapon” by researchers from the cybersecurity firm Claroty, has been used to compromise fuel management systems produced by the U.S.-based company Gilbarco Veeder-Root. The ongoing cyber conflict between Israel and Iran has intensified, with CyberAv3ngers reportedly launching attacks on systems marketed under the Orpak and Gasboy brands.
The tensions between Israel and Iran have escalated into a wider proxy conflict following an incursion by Iranian ally Hamas into Israel in October 2023. During this period, CyberAv3ngers began targeting Orpak fuel management devices, with a second wave of attacks commencing around mid-2024. The same group had previously hacked Israeli-manufactured programmable logic controllers to display anti-Israeli messages and claimed to have compromised 200 gas stations in Israel and the United States.
In a related incident, an Israeli-affiliated hacking group known as Gonjeshke Darande claimed responsibility for a cyberattack on Iranian fuel pumps in December 2023. This illustrates the tit-for-tat nature of cyber warfare between the two nations. The U.S. government has responded by imposing sanctions on members of the Islamic Revolutionary Guard Corps Cyber Electronic Command, linked to CyberAv3ngers, and offering a reward for information leading to the group’s members.
The IOControl malware is particularly concerning due to its ability to persist on compromised systems, installing a backdoor that remains active even after a reboot. It employs the MQTT protocol for communication and uses secure ports to enhance its stealth, alongside DNS over HTTPS to obscure its command and control communications. This stealthy approach makes detection challenging, further complicating efforts to mitigate its impact.
Research indicates that IOControl has been deployed against a variety of devices from several manufacturers, highlighting its versatility and adaptability. Claroty’s insights suggest that the initial access for these attacks often involves brute-forcing exposed SSH services, emphasizing the need for robust security measures such as firewalls, NAT, and strong password enforcement to protect vulnerable systems.