CyberAttackers: The Iranian Saboteurs Hacking Water and Gas Systems Globally

Cyber intelligence between Israel and Iran has increased since Israel's role in the development of the Stuxnet malware, which impacted Iran's nuclear weapons program. This conflict has prolonged and intensified since Hamas's attack on October 7 and Israel's subsequent invasion of Gaza. In this context, a new player has emerged on the scene: CyberAv3ngers, a hacking group operating under the auspices of the Iranian government, specializing in attacking industrial control systems.

In the past year and a half, CyberAv3ngers has conducted targeted operations against critical infrastructures such as water, oil, and gas. Although the group has adopted a façade of cyber activism, it is backed by members of the Islamic Revolutionary Guard Corps, according to U.S. officials who have offered a $10 million reward for information leading to their capture. While the group has openly declared its objectives against Israel, it has expanded its focus to global devices and infrastructures, including oil and gas companies in the U.S.

Despite its activist façade, Kyle O'Meara, a threat intelligence researcher, states that CyberAv3ngers is a state-sponsored group with funding and sophisticated tools to conduct cyberattacks intended to cause harm. The group's prominence became evident after Hamas's attack, as it accessed more than 100 devices from an Israeli company, Unitronics, affecting water networks and other essential facilities in Israel and beyond.

For instance, during one attack, CyberAv3ngers manipulated device names to read “Gaza” and displayed the group's logo, leading to confusion and disruption of service in various networks, including some in the UK and Ireland. Additionally, the group claimed to have penetrated digital systems of over 200 gas stations, although these claims were mostly limited to surveillance cameras.

This attack occurred amid retaliation between hacker groups operating as extensions of the interests of Israel and Iran. While CyberAv3ngers focused on Israel, a group known as Predatory Sparrow has repeatedly attacked Iran's critical infrastructures, notably destroying gas stations and igniting fires at industrial facilities.

As CyberAv3ngers continues its hacking campaign, these actions have been accompanied by U.S. sanctions on various Iranian officials linked to the group. However, CyberAv3ngers appears to have adapted and evolved into a broader threat. Last December, it was revealed that the group had developed malware called IOControl, capable of infecting various industrial control devices globally.

The group's tactics indicate a shift in focus: they are no longer merely seeking to deliver a protest message but have adopted a more aggressive stance aimed at disrupting critical infrastructures abroad at will. This transformation suggests that CyberAv3ngers aims to have the capacity to cause large-scale disruptions, representing an imminent danger in the global cyber domain.