Hacker group discloses ability to encrypt an RTU device using ransomware, industry reacts

A hacker group has claimed that it has conducted a ‘first-ever’ ransomware attack against an RTU (remote terminal unit), a small device typically deployed across industrial control system (ICS) environments. The Anonymous group affiliate said that it executed GhostSec ransomware during its favorite operation ‘#OpRussia,’ and explained it ‘as only they can in support of #Ukraine.’ 

In its Twitter message, Anonymous Operations wrote that “Everybody knows that GhostSec has been ‘raising the bar’ since we started attacking ICS, now its time to push the hacking history even further beyond! It’s time to write our name in a new hacking game, it’s to start a new race. Everyone has obviously heard about a ransomware that attacked a Windows desktop, some server, some IoT, but we would like to announce the first RTU attacked!”

The group added that “YES! We just encrypted the first RTU in history! A small device designed only for an ICS environment! We knew, you knew, that the time sooner or later would come. Well, it has come!”

Anonymous further added that “the age of ransomware coded to attack ICS devices just became a thing, and we were the first like previously hacking the Russian trains directly! This ransomware was not intended to be very complex (it doesn’t mean that we cant code complex malware) since we just wanna encrypt and show it to the world.”

Analyzing the hacker group’s claim, researchers from industrial cybersecurity company Claroty’s research arm Team82 wrote in a Thursday blog post that GhostSec has claimed on a public Telegram group that it has been able to encrypt an industrial RTU router that features SCADA (supervisory control and data acquisition) capabilities including support for industrial serial interfaces RS-232 and RS-485 and MODBUS protocol variations.

“GhostSec has been called an adjunct group to Anonymous, carrying out politically motivated hacks, including one claim this week that it had access to, and stolen, email from the Brazilian government. It has also previously been connected to compromises of programmable logic controllers and other OT devices,” it added. 

Claroty researchers said that in this alleged attack, the group has apparently turned its attention to the Russian invasion of Ukraine. “From screenshots provided by the group on Telegram, encrypted files on a TELEOFIS RTU968 v2 in question have had the suffix “.f***Putin” appended to them,” it added. 

The TELEOFIS RTU968 V2 is a new 3G router that supports wired and wireless connections of commercial and industrial facilities to the Internet. The built-in 3G modem will provide high-speed wireless Internet access anywhere where there is network coverage of a cellular operator. It could be considered a remote terminal unit (RTU) because it supports Industrial interfaces RS-232 and RS-485 and is able to convert industrial protocols Modbus RTU/ASCII to Modbus TCP.

Team82 revealed that the group claimed on Telegram that the compromised device is from Belarus, and also did not demand a ransom, instead leaving behind a lengthy message that includes the note: ‘There is no notification letter. There is no payment.’

“From public internet scans we discovered that there are 194 internet-exposed devices in Russia, Kazakhstan, Belarus, and 117 of them have the SSH service enabled,” according to the researchers. “We were curious to know what was the initial attack vector so we downloaded the firmware and conducted research on it (.tar → .UBI root filesystem, Linux kernel).”

Additionally, “we discovered that the device runs over a 32-bit ARM architecture with an ARM926EJ-S processor which is part of ARM9 family of general-purpose microprocessors. It runs the OpenWrt 21.02.2 operating system, which is a Linux distribution with BusyBox.”

After going through the device’s configurations and rc[dot]d startup scripts, Team82 researchers said that they “came to the conclusion that the device comes with a pre-configured SSH service on port 22 (default port) and allows using a root password as a method of authentication. Furthermore, the device comes with a weak preconfigured root password that can be broken with the hashcat password recovery tool in two seconds.”

Claroty researchers wrote that hacktivist groups, though largely politically motivated, have demonstrated the ability to be disruptive to businesses and operations in certain situations. “GhostSec’s latest alleged activity is another indication that these groups have an interest in seeking out ICS devices that—if attacked—can impact productivity and safety within industrial automation settings,” they added.

Ron Fabela, CTO at another industrial cybersecurity vendor SynSaber, wrote in a separate blog post that given that these devices are running generic Linux kernels that happen to be providing connectivity to serial devices (which, of course, could be industrial), “there’s nothing in the evidence supplied by GhostSec that industrial was specifically attacked or that this attack represents a new paradigm shift in industrial hacking.”

Expanding out a bit, Fabela said that just because something is labeled an RTU doesn’t mean encrypting its files is groundbreaking or innovative. He also pointed out that hacking and encrypting Linux devices is not new. Furthermore, exploits and hacks against this class of devices (communication gateway providing remote connectivity to serial devices) are also not new.

“Whether technically true or not, groups like GhostSec, the Cl0p gang, and others continue to research and discover OT attacks and ICS hacks,” Fabela wrote in his Wednesday post. “The paradigm shift isn’t that someone can attack a Linux/OpenWRT device. Rather, it’s the pivot by threat groups on how to take traditional enterprise attacks and apply them to industrial environments. It was also trivial to find these exact devices online via tools like shodan[dot]io,” he added.

This example by GhostSec shows new threat groups’ lack of understanding about ICS, Fabela said. “It also gives the community a glimpse at the group’s intent, something exceedingly difficult to measure otherwise. After looking at the evidence presented, it may be easy to dismiss the bold claims by GhostSec.” 

He further highlighted that the fact remains that ICS will be targeted, and threat actors see the value in attacking (or claiming to attack) ICS. 

Cybersecurity researcher Joe Slowik noted in a Thursday post that ransomware impacting industrial operations and environments is very much a ‘real thing’ as documented by multiple parties. “The scope and nature of such operations, though, will almost certainly be limited to what has been observed to date: operations targeting IT and IT-based systems, with inadvertent (and at times quite limited) industrial impacts,” he added. 

“Scenarios outlined by GhostSec and Red Balloon will likely remain an area for proof of concepts and flashy presentations at hacker cons,” according to Slowik. “Yet should such embedded device ransomware emerge in industrial environments (especially critical infrastructure networks), we should immediately question the nature and origin of such activity, as the economics and optics of such an event will favor a state-directed entity being responsible as opposed to more traditional criminal monetization,” he added. 

In October, another industrial cybersecurity company OTORIO disclosed that the GhostSec hacktivist group has continued to demonstrate its ICS hacking skills and has now turned its support to the recent waves of Hijab protests in Iran.

“The group has published several images as evidence of successfully ‘hacked’ systems. These show the use of SCADA modules of the Metasploit framework and a MOXA E2214 controller admin web portal following a successful login,” David Krivobokov, OTORIO’s Research Team leader, revealed at the time. “While it is not clear how critical the ‘breached’ systems are, this demonstrates again the ease and potential impact of attacks on ICS systems that have insufficient security controls in place.”

Earlier this week, Red Balloon researchers detected the presence of multiple architectural vulnerabilities prevalent in the Siemens SIMATIC and SIPLUS S7-1500 series PLC (Programmable Logic Controller) that could allow attackers to bypass all protected boot features, resulting in persistent arbitrary modification of operating code and data. Affecting around 120 Siemens products and solutions, the S7-1500 is a high-performance controller that is considered to possess comprehensive security protections amongst Siemens PLC products.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.