Iran's IOCONTROL Attacks Expose Weaknesses in Industrial IoT

State-sponsored actors are actively exploiting the weak security posture of IoT devices in critical infrastructure. The Iranian-linked CyberAv3ngers group has successfully compromised hundreds of fuel management systems and water facilities using a custom-built backdoor that specifically targets the IoT devices and linux-based platforms used in industrial control systems.

IOCONTROL leverages the MQTT protocol – a standard messaging system for IoT devices – and masks its command-and-control traffic through Cloudflare's DNS over HTTPS service. These techniques make it difficult to detect, since the traffic looks like standard IoT traffic. IoT devices often run on public networks using 5G, which makes them uniquely susceptible to such attacks. Additionally, while security has become increasingly sophisticated in the cloud, data centers, and at offices, IoT device security tends to be minimal or non-existent. Netmaker helps mitigate against such attack vectors by securing IoT device traffic over the public internet.

Affected devices include routers, PLCs, firewalls, and cameras from a range of well-known brands like Baicells, D-Link, Hikvision, Red Lion, Phoenix Contact, and more. This has put many modern industrial control systems at high risk, which depend on such devices. The attackers have thus far successfully gained access to payment terminals at gas stations and water treatment facility controls.

The Real Problem

This attack succeeded because industrial IoT security is often treated like it's an afterthought. When PLCs and HMIs send unencrypted data over 5G networks, the front door is wide open to attack. IoT devices often rely on security via obscurity. Basically that they'll be safe because they aren't usually targeted. It's the same reason why Macs are often viewed as less prone to malware. It's not so much that they're better designed against malware, it's just that attackers have put their time and energy into targeting Windows-based systems. But as hackers become more sophisticated, especially state-sponsored threats, they are looking more at IoT-based platforms, which are often tied to real-world control systems with severre consequences.

Moving Forward

The solution isn't complex. It just requires real thought and focus on the part of IoT device owners. Offices, data centers, and clouds have moved towards a "secure by default" mentality, and have implemented network security to enable this. IoT connectivity has been ignored because it is more spread out and difficult to manage. But it should be managed the sam way. Every device, from cameras to windmills to hydroelectric equipment, needs to operate within a secure network framework. This is about creating a security system for all devices within an organization where compromised credentials or vulnerable protocols don't automatically mean game over for your entire infrastructure.

If your industrial equipment is still communicating over public networks or has unencrypted traffic, you're already at risk. If your devices are not a part of the same network security structure used at the rest of your ogranization, you are a prime target. The IOCONTROL attacks show that sophisticated actors are actively targeting these weaknesses, and they're getting better at it.

Don't wait until you're the next headline. Let's talk about how to properly secure your industrial IoT infrastructure. The technology exists – it's just a matter of implementing it before it's too late.

Alex Feizsli is the founder and CEO of Netmaker, a platform that secures industrial IoT communications across critical infrastructure deployments worldwide.

‍