A notorious Iranian state-sponsored hacking group has been using custom-built malware to target IoT and operational technology (OT) devices in the United States and Israel, according to cybersecurity firm Claroty.

The malware, named IOCONTROL, has been tied by Claroty researchers to CyberAv3ngers, which claims to be a hacktivist group, but which the US government and others have linked to Iran’s Islamic Revolutionary Guard Corps (IRGC).

CyberAv3ngers has targeted industrial control systems (ICS) at water facilities in Ireland and the United States, including a water utility in Pennsylvania. In the Ireland attack, the hackers’ actions caused serious disruptions that led to the water supply being cut off for two days. 

The attacks did not involve sophisticated hacking and instead relied on the fact that many organizations leave ICS exposed to the internet and protected with default credentials that can be easily obtained.     

The US government is offering a reward of up to $10 million for information on Cyber Av3ngers, which it has described as a persona used by the Iranian government to conduct malicious cyber activities.  

According to Claroty, the IOCONTROL malware is a cyberweapon used by Iran to attack civilian critical infrastructure.

The security firm says the malware has been used to target IoT, ICS and other OT devices, including IP cameras, routers, SCADA systems, PLCs, HMIs, and firewalls from vendors such as a Baicells, D-Link, Hikvision, Red Lion, Orpak, Phoenix Contact, Teltonika, and Unitronics.

The malware is based on a generic IoT/OT malware framework designed to target embedded Linux-based devices, with the attackers compiling different versions created specifically for each type of targeted system.

IOCONTROL uses the MQTT machine-to-machine network protocol for command and control (C&C) communications. It supports commands for executing arbitrary code and conducting port scans, enabling attackers to remotely control compromised devices and perform lateral movement. 

In October 2023, CyberAv3ngers claimed to have disrupted 200 gas pumps in Israel. The targeted devices had been using gas station solutions provided by a company named Orpak Systems.

Claroty obtained a sample of the IOCONTROL malware from a Gasboy fuel control system, which, the company says, “has close ties with Orpak Systems”. The security firm said it’s unclear how the malware had been distributed.

“While the reports about these attacks by CyberAv3ngers against Orpak devices span from mid-October 2023 to late January 2024, our team obtained a publicly available sample of IOCONTROL from VirusTotal, indicating the group relaunched their targeted campaign in July and August,” Claroty researchers said.

Claroty has shared a technical analysis of the IOCONTROL malware and its infrastructure, including indicators of compromise (IoCs). 

Related: OpenAI Says Iranian Hackers Used ChatGPT to Plan ICS Attacks

Related: FrostyGoop ICS Malware Left Ukrainian City’s Residents Without Heating

Related: Destructive ICS Malware ‘Fuxnet’ Used by Ukraine Against Russian Infrastructure