Future-proof investment for industrial companies that cannot afford downtime - GigaOm


Country-Specific ICS Targeting: Shining a Light on GhostSec

Country-Specific ICS Targeting: Shining a Light on GhostSec

28 Nov 2022

OTORIO’s security team has been closely following the activity of the GhostSec hacktivist group. In a recent interview with Manufacturing Business Technology (watch it below), OTORIO’s VP of Research, Matan Dobrushin, spoke in-depth about the insights that he and his team have gained about the group and its background, methods, and targets. Specifically, Dobrushin spoke about how the group recently showed an impressive and worrisome ability to breach industrial control systems (ICS), effectively exploiting poorly or improperly configured ICSs. 

According to Dobrushin, GhostSec is a loose consortium of threat actors formed in 2015 that originally targeted the ISIS terrorist group’s digital infrastructure.  Historically, the group’s activities have tended to coalesce around prominent issues du jour – less from any overall guiding ideology than from a simple desire for media attention. More recently, GhostSec claimed credit for attacking a Russian hydroelectric power plant’s ICS to protest the Russian Federation war against Ukraine That attack reportedly caused a massive explosion and emergency shutdown of the power plant’s operations. This fall, the group turned its support to the recent waves of Hijab protests in Iran.

The group’s agenda literally changes with the ebb and flow of public attention. "Last month it was Israel, as part of their pro-Palestinian agenda," noted Dobrushin. "This month, it’s the Iranian government and different entities connected to the Iranian government. We think that their main motivation is really to gain fame."

GhostSec Claims Fame For the First ICS Ransomware in History

On January 11, 2023, GhostSec published a message in their Telegram channel claiming they have successfully issued an attack on RTU device(s) in Belarus with the first in history ICS ransomware:

Everyone has obviously heard about a ransomware that attacked a Windows desktop, some server, some IoT, but we would like to announce the first RTU attacked!

YES! We just encrypted the first RTU in history! A small device designed only for an ICS environment!

In the snapshots attached to the message, GhostSec demonstrates proof with images of the file listing of /bin directory with system files, following a successful login via SSH to the TELEOFIS RTU device with “before” and “after” the encryption.


GhostSec ICS ransomware claim - image 1


GhostSec ICS ransomware claim - image 2

In the “after” image it is shown that some files were appended with the ".fuckPutin” extension, which is typical of ransomware. 

TELEOFIS is a manufacturer of wireless OT telecommunication devices, aka RTU – remote terminal unit devices from Moscow, Russia. As seen in the images, the specific device is TELEOFIS RTU968 V2 – a 3G router for industrial environments. Once again, we suspect that the initial access to the device was using weak authentication of the device. 

The Teleofis device could be considered an RTU as it can be connected to Modbus devices or serial interfaces, however, it is not the first thing that comes to mind, both in terms of functionality, architecture nor robustness (unlike Siemens, GE, or SEL common devices). Also, the device can be used as just a 3G router, and ‘more robust’ devices could be connected behind it. 

Moreover, in order to create a Ransomware type of attack on a common RTU, it would require GhostSec to have deeper OT knowledge and resources, such as experimenting with real OT engineering tools and devices. The Teleofis device is OpenWRT based, which is basically Linux, and does not introduce any new, real OT capability.

A Shift in Tactics

Recently, Dobrushin said, the group seems to have switched tactics. It’s begun targeting ICS systems in critical infrastructure installations and specific PLCs in various industrial players on a country-specific basis. The group is managing to exploit known and new vulnerabilities within ICS controls – polishing their knowledge of open-source tools, different OT protocols, their capabilities, and mastering exploiting vulnerabilities in popular Programmable Logic Controllers (PLCs) from companies like Berghof.

The implications of this new focus on OT and country-specific targeting are disturbing. The ICS systems under attack today are similar to those used in sensitive verticals like energy, pharmaceuticals, and water. For example, in September GhostSec published evidence that it had taken control of a system controlling pH and chlorine levels in an Israeli hotel swimming pool by breaching an Aegis II controller manufactured by ProMinent.

The group has become adept at exploiting ICS misconfigurations, claims Dobrushin. The most common ICS misconfigurations are things like segmentation, connecting devices directly to the Internet, or leaving default credentials on new installations. Surprisingly, these basic oversights happen even in organizations that are highly aware of cybersecurity issues. One reason for this is that "the people who are responsible for the operations and installing [a PLC/ICS] system are not the same ones responsible for securing it." In other words, a lack of coordination between security teams – which are still frequently focused on IT more than OT – and OT operations is leaving companies vulnerable to hacking from groups like GhostSec.

The Implications of Recent Breaches

The fact is that GhostSec views themselves as hacktivists, Dobrushin emphasized. They’re apparently not in it for money and not necessarily to inflict serious damage. Rather, they are trying to raise awareness for various causes that they perceive as just. From this perspective, GhostSec is more of a nuisance than a serious threat.

However, the vulnerabilities they exploit and the methods GhostSec develops are closely watched by hacking groups with far less ethical or moral restraints. GhostSec "is one of the first groups to use the open source tools that are available for ICS communication," said Dobrushin. The ease of attack that GhostSec is demonstrating can easily inspire copycat attacks, he continued. And this is the true danger of GhostSec.


"Our technology helps industrial networks raise their walls and protect themselves better" from vulnerabilities like those exploited by GhostSec, Dobrushin noted. Preferring solutions based on orchestration and automation, as opposed to "just putting another sensor in the network," OTORIO’s research team also focuses significant efforts on creating freely-downloadable open source OT security tools. Additionally, Dobrushin and his team closely monitor hacking groups like GhostSec alongside newly-discovered vulnerabilities – providing real-time alerts to the OT security community when needed.

Overall, Dobrushin said, OTORIO and his team strive to ensure that IT and OT stakeholders can collaborate effectively, use the same language by creating an ecosystem where everyone is in the loop, and each side understands the needs and priorities of the other. In this way, organizations can be confident that they are mounting the most effective defense against organizations like GhostSec and GhostSec-inspired threat actors.

Safeguarding ICS and PLC devices

OTORIO's reconOT helps critical infrastructure companies and industrial manufacturers prevent breaches that can impact ICS and PLC devices. It does so via automatic, OT-centric reconnaissance to discover a company's assets and OT security vulnerabilities as a potential attacker would see them.

To learn more, contact OTORIO's OT security professionals.

11 Jan 2022 A House of Cards: Shoring Up the OT Digital more...
02 Mar 2021 OTORIO’s Pen-Testers discovered more than 20 vulnerabilities in a popular Industrial Remote Access Solution more...
10 Feb 2021 Florida’s Water Poisoned by Hackers: A Warning Signal more...