The digital battleground between Iran and the alliance of Israel and the United States has evolved into a phase of targeting civilian psychological resilience through the weaponisation of emergency warning and public address (PA) systems. These operations are strategically designed to weaken public trust in government protective measures, such as early-warning systems.

In such operations, threat actors have claimed unauthorised access to often insecure legacy broadcast equipment. In this case, Iran-affiliated actors linked to the Islamic Revolutionary Guard Corps (IRGC) and The Ministry of Intelligence of the Islamic Republic of Iran (MOIS) said they have hijacked emergency alerts and announcement systems to project a level of domestic reach that far exceeds the technical complexity of their intrusions. These operations are strategically designed to weaken public trust in government protective measures.

This new front in the Iran war demonstrates the risks that legacy technology within critical infrastructure poses, in particular now that Iran has apparently added psychological warfare to its strategy. Iran’s access to several legacy Barix devices and the resulting psychological impact on Israeli citizens were tools used to sow uncertainty and potential chaos among the public.

There have long been fears about the role of cyberattacks in unison with kinetic fighting. These attacks carried out by the CyberAv3ngers demonstrate the damaging possibilities, presenting not only a physical impact but also psychological effects on the morale of citizens in concert with a cyberattack on IoT in this case.

The CyberAv3ngers, meanwhile, continue to play a prominent role in Iran’s offensive cyber strategy. The group’s past activity, most notably through the development of a custom malware framework known as IOCONTROL, focuses on operational technology and connected IoT devices and systems. IOCONTROL, for example, was used to attack Linux-based SCADA and OT devices found within civilian infrastructure. Some of the devices targeted by the CyberAv3ngers in various campaigns include routers, programmable logic controllers (PLCs), human-machine interfaces (HMIs), firewalls, and other Linux-based platforms. While the malware is believed to be custom-built by the threat actor, it seems that the malware is generic enough that it is able to run on a variety of platforms from different vendors due to its modular configuration.

The CyberAv3ngers are also linked to the attacks against Unitronics integrated PLC/HMI devices in the U.S. and Israel. Disruptive attacks were carried out that included defacements of the device screens that promised future attacks against Israeli technology. The Unitronics attacks demonstrated the threat actors’ ability to access the devices and possibly carry out additional, more destructive intrusions.

The reachability of legacy technology online presents a major problem for critical infrastructure operators. A recent Team82 report demonstrates that low-skilled hacktivists groups can easily enumerate OT assets that are insecurely connected to the internet and leverage weak or default credentials to access devices. Legacy protocols are also often abused because they lack authentication and other basic security capabilities, allowing attackers to access assets at scale and disrupt devices found in particular organisations or regions.

In this case, the vulnerable Barix technology has been updated by the vendor. However, as is the case with many flavours of cyber-physical systems, updates are manual and many assets could remain running vulnerable firmware. Furthermore, without full visibility into an environment, or poorly secured internet connections on internet-facing devices, these assets are easily enumerated and exploited—even by low-skilled actors in parallel with more advanced threat actor groups.

Full investigation here: A Cyber-Psychological Operation: Iran-Linked Attackers Target Warning Systems | Claroty