GhostSec hacktivist group compromise 55 Berghof PLCs across Israel, OTORIO discloses

Industrial cybersecurity firm OTORIO published on Wednesday details of the GhostSec hacktivist group, which gained control over 55 Berghof programmable logic controllers (PLCs) across Israeli organizations and platforms. The firm said that last week GhostSec, which was previously observed targeting Israeli organizations and platforms, announced on social media and its Telegram channel that the group had successfully breached the devices. 

“In the message it published, GhostSec attached a video demonstrating a successful log-in to the PLC’s admin panel, together with an image of an HMI screen showing its current state and control of the PLC process, and another image showing that the PLC had been stopped,” David Krivobokov, research team leader at OTORIO, wrote in a company blog post.

OTORIO assesses that such security gaps can be extremely dangerous in the OT (operating technology) environment since they can affect physical processes and, in some cases, even lead to life-threatening situations. “While GhostSec’s claims are of a sophisticated cyber attack, the incident reviewed here is simply an unfortunate case where easily overlooked misconfigurations of industrial systems led to an extremely unsophisticated attempt to breach the systems themselves.”

Krivobokov observed that though the HMI probably wasn’t accessed nor manipulated by GhostSec, and the hackers were not exploiting the Modbus interface, it shows an unfamiliarity with the OT domain. “To the best of our knowledge, GhostSec hadn’t brought critical damage to the affected systems but only sought to draw attention to the hacktivist group and its activities,” he added.

Despite the low impact of this incident, this is a great example where a cyber attack could have easily been avoided by simple, proper configuration. For example, disabling the public exposure of assets to the Internet, and maintaining a good password policy, especially changing the default login credentials, would cause the hacktivists’ breach attempt to fail.

The OTORIO team observed the published system dump of ZIP archives (part_1.zip and part_2.zip), which revealed the public IP addresses of the affected PLCs. “This suggests that the devices were/are publicly exposed to the internet. Both archives contained the same types of data – system dumps and HMI screenshots, which were exported directly from the Berghof admin panel. The panel has this functionality by design, allowing logged-in users to create a backup and see the current HMI state via a screenshot.”

Krivobokov said that at the time of the company’s investigation, the IPs were still accessible through the Internet. Access to the admin panel is password-protected. However, trying a few defaults and common credentials resulted in a successful login. “The HMI screenshots can be taken and viewed simply by accessing the ‘Screenshot’ tab. The system dumps were similarly done by just accessing the ‘System Dump’ tab in the admin panel,” he added.

“Although access to the admin panel provides full control over some of the PLC’s functionality, it does not provide direct control over the industrial process,” according to Krivobokov. “It is possible to affect the process to some extent, but the actual process configuration itself isn’t available solely from the admin panel.”

Krivobokov further added that from the research, “we concluded that Berghof uses CODESYS technology as its HMI, and is also accessible via the browser at a certain address. From our observations of GhostSec’s proofs of the breach, we did not know whether GhostSec gained access to the HMI. But we’ve confirmed that the HMI screen was also publicly available.”

He also added that the HMI exposes the configuration of the industrial process.

OTORIO released the results of its 2022 OT cybersecurity survey report earlier this year, which revealed the growth of cybercrime itself, and the tightening of legislation and regulations pushed forward by governments that are taking an increasingly active role in cyber defenses. These factors were observed amidst an acceleration towards a connected production floor, especially around remote operations and supply chain management. 

Last month, researchers at another industrial cybersecurity vendor Claroty developed a novel technique called the Evil PLC Attack, in which PLCs are weaponized and used to compromise engineering workstations. An attacker with a foothold on an engineering workstation can access anything else on the OT network to which an engineer connects that machine, including other PLCs. The attack targets engineers working on industrial networks, configuring and troubleshooting PLCs to ensure the safety and reliability of processes across critical industries such as utilities, electricity, water and wastewater, heavy industry, manufacturing, and automotive.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.