OTORIO reveals GhostSec hacktivist group now targets Iranian ICS in support of Hijab protests

T​he GhostSec hacktivist group has continued to demonstrate its ICS (industrial control system) hacking skills and has now turned its support to the recent waves of Hijab protests in Iran, industrial cybersecurity company OTORIO disclosed.

“The group has published several images as evidence of successfully ‘hacked’ systems. These show the use of SCADA modules of the Metasploit framework and a MOXA E2214 controller admin web portal following a successful login,” David Krivobokov, OTORIO’s Research Team leader, wrote in a recent blog post. “While it is not clear how critical the ‘breached’ systems are, this demonstrates again the ease and potential impact of attacks on ICS systems that have insufficient security controls in place.”

The latest attack by the GhostSec attackers comes about two weeks after the group compromised the web interfaces of PLCs, but now they are quickly beginning to look for new open-source tools, and are learning about different OT protocols and their capabilities, Krivobokov assesses. “The hacktivist group appears to be highly motivated, with capabilities that are growing stronger and stronger each time,” he added.

In the latest attack, the GhostSec hacktivist group used a framework called Metasploit, which is a very common tool used by security researchers and pen testers. Metasploit is a highly capable and modular framework that allows the execution of a variety of attacks on remote assets. 

“Kali Linux (Linux distribution for hackers) includes Metasploit out-of- the-box, and comes with specific modules for issuing attacks on OT systems,” according to Krivobokov. “This toolbox gives even novice hackers the ability to cause significant damage to ICS targets. In many cases, they can simply scan the internet for potential ICS targets that have open ports associated with industrial protocols, such as Modbus on port TCP 502 or CIP on TCP port 44818, and then apply the Metasploit SCADA modules or other ICS attack tools on them,” he added. 

About a month back, the group was observed targeting Israeli PLCs. The GhostSec group announced on social media and its Telegram channel that it successfully breached 55 Berghof PLC devices in Israel. It also attached a video demonstrating a successful log-in to the PLC’s admin panel, together with an image of an HMI screen showing its current state and control of the PLC process, and another image showing that the PLC had been stopped, and then published the dumped data from the breached PLCs.

OTORIO disclosed that the group claimed that “on September, 4th, 2022, a hacktivist group ‘GhostSec’ that was previously observed targeting Israeli organizations and platforms, announced on social media and its Telegram channel that the group successfully breached 55 Berghof PLC devices in Israel.

According to images that the GhostSec published, the group appeared to have taken control of a water system’s pH and chlorine levels, Krivobokov wrote in an OTORIO blog post. In the published message, the hacktivists said they ‘understand the damages that can be done …’ and that the ‘Ph pumps’ are an exception for their anti-Israeli cyber campaigns, he added. 

Further, Krivobokov wrote that unlike the group’s activity that was reported in early September, this time they did not provide specific details about the hack (e.g., an IP address, data dumps of the breached system) except for a few screenshots. 

At the time, OTORIO informed Israel’s Cyber Emergency Response Team (CERT) about the details of the breach and closely cooperated with the authorities to resolve it quickly. Krivobokov wrote at the time of this writing that the controller is no longer available through public access.

“Once again, this incident is a rather sad example of a business maintaining a poor password policy where the default credentials simply weren’t changed, according to Krivobokov. “Yet even with the hotel’s failure to change the default password, the system was also exposed to the internet, making it an extremely easy target for cyber attacks.”

Krivobokov added that even though the damage – this time –  is not as critical as it could have been, despite GhostSec’s assertion that the hackers could have made things much worse, the hacktivist group’s Telegram message promised not to mess with Israel’s water supply. On a different day, or with another hacker group, the risks from a similar cyber attack are potentially enormous.

“In general, GhostSec’s recent breaches demonstrate how bad the cybersecurity situation can be when it comes to industrial control systems a/k/a ICS,” Krivobokov wrote. “These latest public breaches hint at additional ones of which we are not yet aware, or which may likely happen in the future,” he added.

OTORIO called upon organizations to make sure that they do not have direct access from the internet to their OT equipment, especially its operational services. Additionally, it recommends investing in minimum cyber hygiene steps such as changing default passwords.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.