The U.S. State Department continues to seek information on the Iranian-based and state-sponsored hacking group calling itself the CyberAv3ngers. The group gained notoriety after hacking Unitronics PLCs used at Israeli water treatment facilities. However, the attack ended up impacting a number of other plants around the globe, including utilities, processing plants and breweries here in the U.S.
The group has continued to target the industrial control systems of critical infrastructure organizations around the world, which led to the significant target now placed on their backs. It has also been connected with Iran's Islamic Revolutionary Guard Corps Cyber-Electronic Command. Last week the State Department issued a new reward centered around an online persona known as Mr. Soul or Mr. Soll.
“CyberAv3ngers actors have utilized malware known as IOCONTROL to target [Industrial Control Systems/Supervisory Control and Data Acquisition (ICS/SCADA)] devices used by critical infrastructure sectors in the United States and worldwide,” the State Department said.
Claroty's Group 82 has done extensive work on the IOCONTROL malware used by the CyberAv3ngers. It targets routers, PLCs, HMIs, firewalls, IP cameras, and Linux-based IoT and OT platforms. Claroty states that "while the malware is believed to be custom-built by the threat actor, it seems that the malware is generic enough that it is able to run on a variety of platforms from different vendors due to its modular configuration."
In February, the U.S. Department of the Treasury announced sanctions against six IRGC-CEC officials linked to the CyberAv3ngers and offered the initial bounty for information leading to the identification or location of anyone involved in the attacks.
