Iran’s Cyber Av3ngers Hacks 200 Gas Pumps Then Heads to U.S.

Why Trust Techopedia

The Iranian linked group Cyber Av3ngers are hacking all types of industrial machines and devices.

Gas pumps, routers, human-machine interfaces, IP cameras, you name it — if it’s an industrial machine, it’s fair game.

The group’s self-coded IOCONTROL is a malware threat that is threatening Internet of Things (IoT) devices and may be coming to a gas pump near you.

Techopedia explores this emerging threat and what the experts say about it.

Key Takeaways

  • A state-sponsored hacking group, Cyber Av3ngers, is actively targeting critical infrastructure in the US and Israel.
  • The group has developed a new, highly sophisticated malware called IOCONTROL, which can compromise a wide range of industrial devices, including gas pumps, routers, and PLCs (Programmable Logic Controllers).
  • This malware poses a serious threat to critical infrastructure, potentially leading to disruptions in essential services like fuel supply and water treatment.
  • Organizations in critical infrastructure sectors must prioritize cybersecurity measures, including regular vulnerability assessments, patch management, and network segmentation.

Team82 Explains Iran’s Black Hat Hackers New Malware

Claroty’s security research unit Team82 investigated Iranian group Cyber Av3ngers’s malware tool, IOCONTROL.

Cyber Av3nger claims it has already hacked 200 gas pumps in Isreal with this malware.

Advertisements
Cyber Av3ngers’ Telegram channel which the group used to claim they had 200 gas pumps in Israel
Cyber Av3ngers’ Telegram channel which the group used to claim they had 200 gas pumps in Israel. (Techopedia)

Team82 found that besides gas pumps Cyber Av3ngers’ new malware exploits vulnerabilities in industrial devices manufactured by Baicells, D-Link, Hikvision, Red Lion, Orpak, Phoenix Contact, Teltonika, Unitronics, and other companies.

Team82 says the new malware was coded from scratch, demonstrating the sophisticated skill levels of this group.

Due to the number of manufacturers impacted, we can speculate that Cyber Av3ngers is likely composed of at least a dozen black hat hackers — going the extra technical mile.

Their goal appears to be remotely disrupting and sabotaging critical infrastructure that services civilians in Israel and the U.S.

The U.S. Department of the Treasury has issued sanctions against six Islamic Revolutionary Guard Corps Cyber Electronic Command (IRGC-CEC) officials linked to the Cyber Av3ngers.

There is a $10 million bounty for any information that leads to the identification or location of anyone involved in the attacks.

200 Gas Pumps Hacked and Counting

GasBoy pumps system, targeted and breached by Cyber Av3nders.
GasBoy pumps system, targeted and breached by Cyber Av3nders. (GasBoy)

Cyber Av3ngers claimed on a Telegram post it had already hacked 200 gas stations in Israel and the U.S. between mid-October 2023 to late January 2024.

Team82 found that IOCONTROL has already breached several hundred Israel-made Orpak Systems and U.S. gas systems Gasboy.

Team82 spoke about what hackers can do when they have control of a gas pump.

“IOCONTROL was hiding inside Gasboy’s Payment Terminal, called OrPT. An attacker with full control over the payment terminal means they had the ability to shut down fuel services and potentially steal credit card information from customers.”

Team82’s analysis of the supported commands of this new malware reveals it can do more than steal credit cards from gas pumps.

For example, IOCONTROL can disrupt machines and devices with self-delete. By removing the malware, Cyber Av3ngers can potentially leave a gas pump or other devices in an unstable state or with critical functions compromised.

Additionally, by executing commands it can control the devices’ operating systems, disrupt their normal functioning, and can even disable specific components of industrial devices.

The malware can also spread through ports, steal network data, and even overload the system with excessive requests or commands, causing an industrial device to crash or become unresponsive.

As mentioned, IOCONTROL can hack gas pumps, IP cameras, routers, PLCs, HMIs, firewalls, and more.

Cyber Av3ngers Telegram post saying they are going after every piece of equipment made in Israel and threatening water security incidents.
Cyber Av3ngers Telegram post saying they are going after every piece of equipment made in Israel and threatening water security incidents. (Moonlock)

Critical Infrastructure Malware: Technical Analysis

Cyber Av3ngers’ initial phase of attack is research. They start by scanning for vulnerabilities in a wide range of industrial devices and their digital attack surface (updates, apps, software, cloud).

Scanning for vulnerabilities, something cybersecurity experts also do to strengthen security postures, can be automated. Despite automation, vulnerability scans are more of an art than a science. They require time, know-how, and creativity.

Once Cyber Av3ngers find vulnerabilities, they exploit them to deliver the malware, coding it into victim devices.

IOCONTROL also abuses MQTT protocol as a dedicated IoT communication channel. Cyber Av3ngers disguise their traffic by establishing a communication channel with the Cyber Av3ngers C2 services — command-and-control.

IOCONTROL uses Cloudflare’s servers to translate the hostname into an IP address. For stealth the malware does not use DNS to translate this hostname directly, instead it uses DNS over HTTPS (DoH) to translate it via CloudFlare’s API.

“Instead, they used an encrypted protocol (HTTPS), meaning that even if a network tap exists, the traffic is encrypted so they won’t be discovered,” Team82 said.

Before establishing a connection with the C2 attacker-controlled server, the malware installs a backdoor to ensure persistence. By adding a new rc3.d boot script, every time the device restarts, the malware resurfaces.

Team82’s reconstruction of IOCONTROL’s MQTT connect message (C2 servers).
Team82’s reconstruction of IOCONTROL’s MQTT connect message (C2 servers). (Team82)

If you work in industrial cyber security we recommend you check out the full technical report. It includes a detailed unpacking of the malware as well as a full list of Indicators of Compromise (IoC).

Who Are Cyber Av3ngers?

You might remember the 2023 Thanksgiving hacks. If not, here is a quick reminder.

During Thanksgiving 2023, while a ransomware group shut down emergency healthcare providers and re-routed ambulances in New Jersey, New Mexico, and Oklahoma, another smaller cyberattack occurred against the water provider of a small town in Pennsylvania. Cyber Av3ngers was the group behind that water sector hack.

The Aliquippa water attack did not cause major damage but it proved water systems were vulnerable. Cyber Av3ngers has also targeted other water systems, and critical infrastructure sectors.

The Bottom Line

Cyber Av3ngers’ work is far from over. We expect this group of black hat hackers to increase cyber attacks against the critical infrastructure sector that serves civilians.

Driven by geopolitical conflicts, the U.S. and Israel, are the first obvious targets.

With the capability of remotely disrupting or sabotaging water, sanitation, energy, government organizations, or industries, Cyber Av3ngers pose a big risk.

Cybersecurity experts and U.S. authorities like CISA have issued exhaustive documents to support the critical infastructure sector in its journey to modernize and secure operations.

We recommend prioritizing cybersecurity by conducting regular vulnerability assessments, applying security patches, keeping software up to date, and leveraging network segmenting security technologies.

FAQs

What is IOCONTROL malware?

Who are the Cyber Av3ngers?

What industries are targeted by Cyber Av3ngers?

How can organizations protect against IOCONTROL malware?

What are the U.S. and Israel doing to counter Cyber Av3ngers?

Advertisements

Related Reading

Related Terms

Advertisements
Ray Fernandez
Senior Technology Journalist
Ray Fernandez
Senior Technology Journalist

Ray is an independent journalist with 15 years of experience, focusing on the intersection of technology with various aspects of life and society. He joined Techopedia in 2023 after publishing in numerous media, including Microsoft, TechRepublic, Moonlock, Hackermoon, VentureBeat, Entrepreneur, and ServerWatch. He holds a degree in Journalism from Oxford Distance Learning and two specializations from FUNIBER in Environmental Science and Oceanography. When Ray is not working, you can find him making music, playing sports, and traveling with his wife and three kids.