Iranian cyber actors are putting US industrial control systems that are connected to the internet at risk. These cyberattacks have made PLCs less functional, changed the data on displays, and sometimes caused operational problems and lost money. The news comes at a time when DDoS attacks are on the rise and hack-and-leak operations by cyber proxy groups and hacktivists are targeting Western and Israeli organizations.

DomainTools Investigations said in a report that came out this week that activities linked to Homeland Justice, Karma/KarmaBelow80, and Handala Hack were part of "a single, coordinated cyber influence ecosystem" that worked with Iran's Ministry of Intelligence and Security (MOIS). Flashpoint says that JUMPSEC has found out that MuddyWater is connected to criminal networks and that Iran's state-sponsored threat actor is involved in at least two CastleRAT builds that target Israeli targets.

CastleRAT is a type of malware that lets someone else access your computer from a distance. It puts an undocumented JavaScript-based virus called ChainShell on infected computers. There is a similar loader that is used to spread the botnet malware Tsundere, which is also known as Dindoor.

Ctrl-Alt-Intel, Broadcom, and Check Point also pointed out some of the links between MOIS and the cybercrime ecosystem. These links show that states are becoming more dependent on ready-made tools to achieve their goals, which makes it harder to figure out who is responsible. JUMPSEC says that ChainShell and Ts Dundere are both separate TAG-150 platform components that are used with CastleRAT. We don't know if Recorded Future or Check Point have confirmed this information.

You can read the whole report at http://www.jumpsec.com/news/features/2014/01/27/castle-rAT-trojan-and-botnet-malware.html.