The discovery of the IOCONTROL malware and backdoor has sparked new concerns about the activity of advanced actors targeting civilian critical infrastructure around the world. Claroty Team82 recently published an extensive technical research blog on the malware, explaining its capabilities and targeting of IoT devices. Its modular configuration also makes it possible for the malware to infect operational technology (OT) and SCADA devices such as PLCs and HMIs.
On this episode of the Nexus Podcast, Team82 researcher Noam Moshe provides some technical details on IOCONTROL, how and where it’s been used and what defenders should be doing about it.
“The major functionality of [IOCONTROL] is a [Linux-based] backdoor, basically acting like a RAT (remote access Trojan), allowing the attackers access remotely to infected devices. And basically what it does is that immediately on infection, it will call back to the [command and control] server of the attacker, reach back, tell it, hey, I've been infected.”
Device and system information is relayed back to the C&C server and the infected device then awaits commands it can execute.
“After some unpacking, it will call back to the C&C server and then the attackers can fully control the host that was infected with this malware, meaning they can simply get some information about the platform like what is the platform architecture so they can issue OS commands to it,” Moshe said.
Team82 describes how devices from manufacturers ORPAK and Gasboy were discovered to be infected with IOCONTROL, and the attackers had the capability to disrupt gasoline services for stations in the U.S. and Israel. Other victims have already been identified, dating back to the Unitronics attacks of late 2023. Devices such as IP cameras, routers, PLCs, HMIs, firewalls, and more have been infected, affecting vendors including Baicells, D-Link, Hikvision, Red Lion, Orpak, Phoenix Contact, Teltonika, Unitronics, and others.
“They can simply cause denial of service, meaning stopping services, deleting files, basically disrupting the behavior of this attacked machine,” Moshe said. “The target was mainly OT- and IoT- centric, meaning it could be like a module on a gas station, it could be a firewall, access point, an IP camera, a varied set of targets.”
The backdoor also allows the attackers to fully control compromised devices and execute arbitrary commands.
Moshe recommends that defenders use the indicators of compromise published in the Team82 blog to detect any possible infections or malicious activity. Internet-facing devices were heavily targeted, and Moshe recommends any connections be done behind a virtual private network or secure remote access solution.
“The most important tip that I would give is to simply make sure your security posture is good, that you're not exposing any devices to the internet, and you know what you expose,” he said.
Michael Mimoso is Director of Influencer Marketing at Claroty and Editorial Director of Nexus.
