Cyberav3ngers: Iranian sabotage hacking water and gas systems around the world

At about the same time, Cyberav3ngers also posted to Telegram that he has entered the digital systems of more than 200 Israeli and American gas stations – incidents that Clott says about Cybersecurity companies say it’s wrongS

This initial wave of Cyberav3ngers’s hacking, both true and crafted, seems to be part of a tit-on-the-tiss with another extremely aggressive hacker group that is thought to work on behalf of Israeli military or intelligence agencies. This rival group, Predatory sparrowRepeatedly targeted at Iranian critical infrastructure systems, while they are similarly hidden behind Hactivist front. In 2021, it disabled over 4,000 Iranian gas stations across the country. Then, in 2022, she set fire to a steel mill in perhaps the most destructive cyberattack in history. Following the Cyberav3ngers hacker campaign, at the end of 2023, the missiles against Israel by Iran -backed Huti rebels, predatory sparrows avenged again by killing thousands of Iranian gas stations in December of the same year.

“Hamenei!” The predatory sparrow writes to X, citing Iran’s supreme leader in Farsi. “We will respond against your evil provocations in the region.”

The predatory sparrow attacks are strictly focused on Iran. But Cyberav3ngers has not been limited to Israeli goals or even Israeli devices used in other countries. In April and May last year, says Dragos, the group violated the US Oil and Gas Company – Dragos refused to name who – by compromising the security equipment of Sophos and Fortinet. Dragos found that in the coming months, the group scans the Internet for vulnerable industrial control devices, as well as visited the manufacturers’ websites of those devices to read about them.

After his attacks in late 2023, the US Department of Finance Six IRGC employees sanctioned This says they were related to the group and the State Department has put its attitudes at $ 10 million on its heads. But it is far from deterred, Cyberav3ngers instead showed signs of evolution in a more comprehensive threat.

Last December, clotti discovered That Cyberav3ngers infected a wide variety of industrial control systems and Internet devices around the world, using a piece of malware it has developed. The tool, which Claroty calls Iocontrol, was a Rear move based on Linux, which hides its communications in a protocol known as MQTT used by IoT devices. It was planted on everything from routers to cameras to industrial management systems. Dragos says he has found devices infected by the group around the world, from the United States to Europe to Australia.

According to Claroty and Dragos, the FBI took control of the command and control server for Iocontrol at the same time as the December Claroty report, neutralizing malware. (The FBI did not respond to Wired’s request for a comment on the operation.) But Cyberav3ngers’s hacker campaign shows a dangerous evolution in the group’s tactics and motives, according to Noam Moshe, who follows the clotting group.

“We see Cyberav3ngers moving from the world of opportunistic attackers, where their entire purpose has spread a message in the realm of a constant threat,” says Moshe. In the Iocontrol hacking campaign, he added: “They wanted to be able to infect any assets that identify as critical and simply leave their malware there as an option for the future.”

Exactly what the group could wait – probably some strategic moment when the Iranian government could gain geopolitical advantage of causing widespread digital disorders – it is far from clear. But the group’s actions suggest that he no longer seeks to send a protest message against Israeli hostilities. Instead, Moshe claims, this is trying to gain the ability to disrupt foreign infrastructure as desired.

“It’s like a red button on their desk. At the moment, they notice that they want to be able to attack many different segments, many different industries, many different organizations, but they choose,” he says. “And they don’t go away.”