Iranian Custom Malware Aims at Fuel System Vulnerabilities

Recent findings reveal that an Iranian state-sponsored hacking group is deploying sophisticated malware, described by experts as a “cyber weapon,” aimed at infiltrating Internet of Things (IoT) and Operational Technology (OT) infrastructures in both Israel and the United States. The research by Claroty, a cybersecurity firm based in New York, indicates that the group, known as “CyberAv3ngers,” has specifically targeted fuel management systems produced by the U.S. company Gilbarco Veeder-Root.

The malware, dubbed “IOControl,” was identified during an uptick in attacks connected to the Islamic Revolutionary Guard Corps (IRGC) since October 7, 2023. This date marks a significant escalation in tensions following Hamas’ incursion into Israel, leading to a series of cyber-attacks against institutions tied to U.S. technology. Claroty indicates that the group executed campaigns against Gilbarco Veeder-Root devices branded as “Orpak” from October 2023 to January, with evidence of a renewed effort against “Gasboy” systems from July or August.

In a broader context, these cyber hostilities reflect the ongoing proxy conflict between Israel and Iran, manifesting in cyber warfare in various locations, including Lebanon, Syria, and the Gaza Strip. Notably, this Iranian threat actor has previously compromised programmable logic controllers from Israeli manufacturers to disseminate anti-Israel sentiments. Simultaneously, claims emerged from CyberAv3ngers about breaching around 200 gas stations in the U.S. and Israel, effectively exposing vulnerabilities in critical infrastructure.

The implications of IOControl are significant, as it was custom-developed for IoT devices while impacting critical OT systems such as fuel pumps used widely at gas stations. Fuel management systems facilitate payment processing, pump control, and other essential functions. Claroty reports that initial assaults may have exploited exposed SSH services on these devices, starting with brute-force methods. Following initial access, the malware was deployed, prompting experts to recommend that asset owners enhance security measures by utilizing firewalls and Network Address Translation (NAT) to obscure device interfaces.

System administrators are urged to disable SSH access entirely or, at a minimum, enforce robust password policies to mitigate risks. The U.S. Department of the Treasury has responded to emerging threats by sanctioning six officials from the IRGC Cyber Electronic Command in February, directly linking them to CyberAv3ngers’ operations. Concurrently, the State Department has offered a reward of $10 million for any information leading to the identification or arrest of those involved in these cyber attacks.

Researchers have extracted a sample of IOControl from a Gasboy system, raising concerns about its persistence mechanism, which ensures the malware remains active even post-device reboot by establishing a backdoor. This backdoor, located in /etc/rc3.d/S93InitSystemd.sh, allows for continued access and control over the compromised systems.

Communication between the malware and its command and control servers occurs via MQTT over port 8883—an approach that leverages a lightweight messaging protocol well-suited for limited-bandwidth IoT environments. The use of DNS over HTTPS adds an additional layer of stealth, further complicating detection efforts. The versatility of IOControl is notable, as it has been demonstrated to compromise various devices across multiple manufacturers, highlighting a broad threat landscape.