- Defend & Conquer Weekly Cybersecurity Newsletter
- Posts
- Ioncontrol: silent cyber weapon
Ioncontrol: silent cyber weapon
CybersecurityHQ Report
Nebojsa (Nesha) Todorovic
28 Dec
Welcome reader to your CybersecurityHQ report
—
Brought to you by:
Cypago enables strategic decision making through a full Cyber GRC product suite to help you avoid business reputation impact, financial or client trust losses
—
Notes:
Nebojsa (Nesha) Todorovic, award-winning writer at Hacker Noon, joins the Defend & Conquer newsletter as a guest author. Nesha has won multiple accolades, including “Noonies2020 Most Controversial Writer” and “Noonies2022 Critical Thinker of the Year.” He is also a top-rated writer in remote work and WEB3, with numerous writing contest victories.
—
There is a famous line from Sun Tzu's "Art of War" that every battle is won or lost before it is ever fought. While we're at the famous lines about wars, we should mention Albert Einstein in the context of modern cyber warfare.
"I know not with what weapons World War III will be fought, but World War IV will be fought with sticks and stones."
It's possible to be wrong and right at the same time. He was clearly worried about the aftermath of a global nuclear war. Unfortunately, we must consider an additional, highly targeted, covert cyber warfare dimension. The one that attacks under the cover of digital darkness and "cherrypicks" the targets we don't even consider as such.
"Hacktivist groups from Iran, Iraq, Lebanon, and Sudan are working together under the campaign name "OpIsrael" to pool their resources and expertise to launch more sophisticated and destructive attacks. These attacks aim to disrupt infrastructure, gather intelligence, or spread propaganda to undermine Israel's war efforts. Israeli-based cybersecurity firm Check Point Software tracked over 40 cybergroups conducting attacks on government and media sites during Hamas' initial attack. As of July 2024, Israel reported that Iran and Iran-backed groups have been responsible for roughly three billion cyberattacks, with Israel's cyber defenses successfully preventing almost every attack."
Country | Target | Primary Objective | Attack Type | Status |
|---|---|---|---|---|
Iran | Israeli government | Disrupt infrastructure | DDoS, data exfiltration | Active |
Iran | Israeli media | Spread propaganda | Website defacement | Active |
Iraq | Israeli military | Intelligence gathering | Phishing, espionage | Active |
Lebanon | Israeli civilians | General disruption | Ransomware, DDoS | Active |
Sudan | Israeli economy | Economic disruption | Data exfiltration, DDoS | Active |
Iran | Israeli infrastructure | Sabotage and disruption | Malware, ransomware | Active |
Lebanon | Israeli government | Disrupt defense systems | Advanced persistent threat (APT) | Active |
Iran | Israeli infrastructure | Data theft | SQL injection | Active |
Iraq | Israeli military | Intelligence gathering | Spear phishing | Active |
Iran | Israeli media | Disinformation campaigns | Fake news, DDoS | Active |
Sudan | Israeli government | Infrastructure disruption | Ransomware | Active |
Iran | Israeli energy sector | Sabotage and espionage | APT, data theft | Active |
Lebanon | Israeli economy | Disrupt operations | DDoS, phishing | Active |
Iraq | Israeli military | Cyber reconnaissance | Malware | Active |
Sudan | Israeli media | Propaganda spread | Website defacement | Active |
Iran | Israeli infrastructure | Disrupt critical services | Ransomware, APT | Active |
Lebanon | Israeli government | Sabotage | Malware, data exfiltration | Active |
Iran | Israeli civilians | General disruption | DDoS, data exfiltration | Active |
Iraq | Israeli infrastructure | Disrupt economy | SQL injection | Active |
Iran | Israeli media | Spread propaganda | Fake news, DDoS | Active |
Sudan | Israeli infrastructure | Disrupt operations | Ransomware, APT | Active |
Lebanon | Israeli economy | Economic disruption | Phishing | Active |
Iran | Israeli defense | Gather intelligence | APT, data exfiltration | Active |
Iraq | Israeli media | Spread disinformation | Website defacement | Active |
Sudan | Israeli economy | Financial sabotage | Data exfiltration | Active |
Iran | Israeli government | Cyber espionage | Phishing, malware | Active |
Lebanon | Israeli infrastructure | Disrupt critical services | Ransomware | Active |
Iraq | Israeli military | Intelligence gathering | DDoS | Active |
Sudan | Israeli civilians | General disruption | Ransomware | Active |
Iran | Israeli media | Propaganda and sabotage | Fake news, DDoS | Active |
Lebanon | Israeli infrastructure | Data exfiltration | SQL injection | Active |
Iraq | Israeli economy | Economic disruption | Ransomware, phishing | Active |
Sudan | Israeli defense | Cyber attacks on defense | APT | Active |
Iran | Israeli infrastructure | Cyber sabotage | Malware | Active |
Lebanon | Israeli military | Intelligence gathering | Malware | Active |
Iraq | Israeli civilians | General disruption | Ransomware | Active |
Sudan | Israeli media | Spread propaganda | Fake news | Active |
Iran | Israeli government | Sabotage and espionage | APT, malware | Active |
Lebanon | Israeli military | Intelligence gathering | Malware | Active |
Sudan | Israeli infrastructure | Disrupt defense systems | Phishing | Active |
Let that sink in - three billion cyberattacks since July! Kudos to Israel's cyber defenders, but in the merciless world of cybersecurity, prevention or elimination of "almost every attack" or threat isn't an optimistic statement. It only takes one successful cyber penetration to cause mayhem and a complete collapse of entire systems.
The Latest Cybersecurity Goal - Deal With IONCONTROL
"Iran-affiliated threat actors have been linked to a new custom malware that's geared toward IoT and operational technology (OT) environments in Israel and the United States."
With the high tensions, labeling IONCONTROL as just another new malware is inaccurate. Let's call it as it is: a highly sophisticated cyberweapon developed and used by foreign entities to specifically target and attack civilian critical infrastructure in the USA and Israel.
IONCONTROL "is essentially custom built for IoT devices but also directly impacts OT such as the fuel pumps that are heavily used in gas stations."
Almost all OT (operational technology) devices are potential targets, including "routers, programmable logic controllers (PLCs), human-machine interfaces (HMIs), firewalls, and other Linux-based IoT/OT platforms." What makes it extremely dangerous and harmful are two components:
Thanks to its modular configuration, its generic nature makes it suitable for successfully affecting a variety of platforms provided by different vendors.
Fuel management systems are particularly vulnerable and, as a result, meticulously attacked. At one point, IONCONTROL directly jeopardized hundreds of US-made Gasboy and Israeli-made Orpak Systems fuel management systems in both the USA and Israel.
"For secure communication between compromised devices and the attackers, IOCONTROL leverages the MQTT protocol as a dedicated IoT communication channel. The attackers could disguise traffic over MQTT to and from the attackers' command-and-control infrastructure."
CyberAv3ngers vs. Cybersecurity Power Rangers
Where there's fuel, there's water on the target list. The hacker group operating under the codename CyberAv3ngers published a claim on Telegram stating that it had attacked 200 gas stations in Israel and the US Following the attacks on water treatment facilities, the US State Department revealed that Iran's Islamic Revolutionary Guard Corps Cyber-Electronic Command (IRGC-CEC) is behind the group and offered a reward of up to $10 million for information leading to the identification or location of these individuals.
The terminology used was far away from being ambiguous. CyberAv3ngers are no "ordinary" hackers, but legit Iranian military officials conducting "unconscionable and dangerous," which can't be tolerated due to their severity:
"CyberAv3ngers, affiliated with the IRGC-CEC and Mahdi Lashgarian, targeted and compromised the Vision series of programmable logic controllers (PLCs) made by Israel-based Unitronics. The PLCs are used by the water and wastewater, energy, food and beverage, manufacturing, healthcare, and other industries, and may be rebranded as manufactured by other companies."
New Cyber Threats - New Cyberwarfare Precedents
It's evident that in the theater of cyberwar, anything and everything can be treated as a target. Attacks on the civil infrastructure are creating and legitimizing dangerous precedents.
"The Israeli military conducted consecutive airstrikes against houses in the Gaza Strip that were allegedly home to Hamas cyber operations. Israel remains the only nation-state to have responded to cyber threats or cyber attacks through conventional military force. International concerns around establishing this precedent largely revolve around the perennial issue of how states can respond proportionately to cyberattacks."
The United States and Israel are similar but not identical. Yet, we are one hacker's attack from "cyber 9/11." The Washington Post didn't hesitate to ask, are we "sleepwalking toward a cyber 9/11" after, for that time, an unprecedented attack on the water supply in Oldsmar, FL?
"The unspoken understanding that all nations are engaging in cyber offensives has ensured state responses to significant incidents have remained confined to diplomatic reprimand and unattributed retaliation in cyberspace. This mutual understanding is evident in the US's response to the 2014 hacking of Sony Pictures Entertainment by North Korea, where President Obama limited the US's retaliations to economic sanctions and public disapproval. Similarly, US cyber offensives against Iran in 2018 elicited responses contained to cyberspace, despite escalating tensions between the two nations at the time."
The world has changed dramatically in the meantime. The ego of Kim Jong-Un over a comical depiction in a movie is the least of real-life worries for the world's safety. In striking contrast, Stuxnet is not a work of fiction, and it has already been "tested" at a "smaller" scale.
"The capacity for cyberwarfare to cause physical destruction was established in the 2009 Stuxnet attack where Iran's nuclear facilities were targeted by malware, which caused the nuclear centrifuges to spin undetected at unsafe speeds. The resulting physical damage demonstrated how cyberspace could affect conventional military capabilities."
Even in the worst imaginable scenario that includes nuclear warheads, there's still enough time and reason to act. That's not the case with modern cyberwarfare. One more serious cyber attack on the water supply system on American soil could easily change the "usual" counter-cyber response attitude. Stuxnet "only" damaged the Iran nuclear program. This time, the US air strikes could aim to completely eliminate the Iranian nuclear threat by conventional military force.
Are We Waiting For An "Excuse" While Iran Has Nothing To Lose?
Can IONCONTROL be kept under control?
"IOCONTROL malware is based on a generic OT/IoT malware framework for embedded Linux-based devices that are utilized and compiled against specific targets as needed. The malware communicates with a C2 over a secure MQTT channel and supports basic commands, including arbitrary code execution, self-delete, port scan, and more. This functionality is enough to control remote IoT devices and perform lateral movement if needed."
This is the result of research conducted by the Claroty Team82. The keywords from their thorough IOCONTROL analysis are extremely troubling:
a generic OT/IoT malware framework
utilized and compiled against specific targets as needed
arbitrary code execution
perform lateral movement if needed
Furthermore, their findings were "extracted from a Gasboy/ORPAK device, a fuel system platform. However, IOCONTROL was used to attack IoT and SCADA devices of various types, including IP cameras, routers, PLCs, HMIs, firewalls, and more from different vendors such as Baicells, D-Link, Hikvision, Red Lion, Orpak, Phoenix Contact, Teltonika, Unitronics, and others."
So, it's up to CyberAv3ngers to decide when and where to strike again. More importantly, how far would they be willing to go with their next attack?
It's one thing to not be able to have access to fuel or even water for a limited period of time as a result of cybersecurity failure or weakness, but the awareness of potential cyber penetration within homes and at a much larger scale is the next level. We have every reason to fear that no voice of reason or the top cybersecurity division won't be able to prevent the public outrage and demand for retribution by any means and weapons available.
In the aftermath of the tragic events of the Hamas attack, "the army has launched multiple investigations into the failures of 7 October, and the head of military intelligence has resigned." The response brought the world to the very edge of WW3.
The IOCONTROL failure resulted in a $10 million reward for Iranian military cyber division members. The road to Damascus has a completely new meaning after the fall of Assad.
After a battle, everyone is a general. After a cyberattack, everyone is a cybersecurity expert. It's difficult to prevent all cyber threats, but it's even more challenging to reinvent the world in ruins after full-scale cyber warfare. Back to Einstein's ominous prediction with a small adjustment, we wouldn't be using sticks and rocks for fighting another war, but powerless gadgets and machines for basic survival.
Stay safe, stay secure.
The CybersecurityHQ Team
Reply