US Fights Iranian Cyberattacks: $10M for IOControl Hacker Info

The U.S. State Department has announced a reward of up to $10 million for information leading to the identification of Iranian hackers responsible for deploying the IOControl malware. This malware specifically targets critical infrastructure like industrial control systems in the United States, Israel, and worldwide. This initiative falls under the Rewards for Justice (RFJ) program.

The reward specifically targets individuals associated with the hacking group known as CyberAv3ngers. This group gained prominence in 2023 and 2024 for a series of cyberattacks, particularly on U.S. and Israeli water utilities. U.S. law enforcement agencies have tied CyberAv3ngers to Iran’s Islamic Revolutionary Guard Corps Cyber-Electronic Command (IRGC-CEC). The U.S views CyberAv3ngers as a “persona” used by the Iranian government to conduct malicious cyber activities.

The latest reward notice is centered around an online persona identified as “Mr. Soul” or “Mr. Soll,” who is associated with CyberAv3ngers.

The Malware: IOControl

IOControl (also known as OrpaCrab) is a custom-built malware designed to target Industrial Control Systems (ICS) and Supervisory Control and Data Acquisition (SCADA) devices. These systems are crucial for managing and operating critical infrastructure sectors like water, energy, and manufacturing.

The malware allows hackers to remotely control infected devices. It facilitates movement within a victim’s system, enabling further compromise. Experts at cybersecurity firms like Claroty have observed IOControl being used against various industrial technologies from popular vendors, including Unitronics, D-Link, Hikvision, Baicells, Red Lion, Orpak, Phoenix Contact, and Teltonika.

IOControl has previously been linked to attacks on:

• Water treatment facilities in the U.S. (e.g., Aliquippa, Pennsylvania) and Israel.
• Fuel management systems, including those made by Orpak Systems (Israeli) and Gasboy (U.S.). In one instance, hackers allegedly compromised hundreds of these systems.

The malware is designed for IoT devices but has a direct impact on Operational Technology (OT), such as fuel pumps. It leverages the MQTT protocol for secure command-and-control (C2) communications, allowing attackers to disguise traffic. It supports commands for executing arbitrary code and conducting port scans. It employs persistence mechanisms, including daemon installation, and stealth strategies like modified UPX packing and DNS over HTTPS to obscure its C2 infrastructure.

This reward comes amidst a widening military and cyber conflict between Israel and Iran. U.S. officials believe Iranian cyber activities, particularly targeting critical infrastructure, could intensify. The U.S. Treasury Department has also sanctioned individuals linked to the IRGC-CEC.

The attacks using IOControl, while sometimes not highly sophisticated and relying on publicly exposed devices with default credentials, have caused disruptions. Such as cutting off water supplies, as the goal often appears to be a projection of power and instilling fear.