CyberAv3ngers: The Iranian Saboteurs Hacking Water and Gas Systems Worldwide
The intermittent cyberwar between Israel and Iran, stretching back to Israel's role in the creation and deployment of the Stuxnet malware that sabotaged Iran's nuclear weapons program, has been perhaps the longest-running conflict in the era of state-sponsored hacking. But since Hamas' October 7 attack and Israel's retaliatory invasion of Gaza, a new player in that conflict threatens not just digital infrastructure in Israel but also critical systems in the US and around the world.
The group known as CyberAv3ngers has, in the last year and a half, proven to be the Iranian government's most active hackers focused on industrial control systems. Its targets include water, wastewater, oil and gas, and many other types of critical infrastructure. Despite being operated by members of Iran's Revolutionary Guard Corps, according to US officials who have offered a $10 million bounty for information leading to their arrest, the group initially took on the mantle of a “hacktivist” campaign.
CyberAv3ngers has been vocal about their operations that targeted Israel and Israeli technology products. But they've also quietly expanded their target list to include a variety of other devices and networks, including a US oil and gas firm and a wide array of industrial control systems across the world. All of that makes the hackers, despite their grassroots front, a rare example of state-sponsored cybersaboteurs who have crossed the line of targeting and disrupting critical infrastructure.
“They pretend to be hacktivists, but they're really not. This is a state-sponsored group. They have funding and tooling,” says Kyle O'Meara, a threat intelligence researcher at industrial-control-system cybersecurity firm Dragos, which tracks the group for its IOControl malware campaign. “This is like a red button on their desk. At a moment's notice they want to be able to attack many different segments, many different industries, many different organizations, however they choose,” he says.
In the IOControl hacking campaign, CyberAv3ngers has developed a piece of malware that hides its communications in a protocol known as MQTT used by IOT devices. It had been planted on everything from routers to cameras to industrial control systems. Dragos says it found devices infected by the group worldwide, from the US to Europe to Australia.
The FBI took control of the command-and-control server for IOControl at the same time as Claroty's December report, neutralizing the malware. But CyberAv3ngers’ hacking campaign nonetheless shows a dangerous evolution in the group's tactics and motives, according to Noam Moshe, who tracks the group for Claroty. “We're seeing CyberAv3ngers moving from the world of opportunistic attackers where their whole goal was spreading a message into the realm of a persistent threat,” Moshe says.
Exactly what the group might have been waiting for—possibly some strategic moment when the Iranian government could gain a geopolitical advantage from causing widespread digital disruption—is far from clear. But the group's actions suggest that it's no longer seeking to merely send a message of protest against Israeli military actions. Instead, Moshe argues, it’s trying to gain the ability to disrupt foreign infrastructure at will.