Targeting ICS with Country-Specific Tactics: Illuminating GhostSec

28 Nov 2022

OTORIO’s security team has been closely following the activity of the GhostSec hacktivist group. In a recent interview with Manufacturing Business Technology (watch it below), OTORIO’s VP of Research, Matan Dobrushin, spoke in-depth about the insights that he and his team have gained about the group and its background, methods, and targets. Specifically, Dobrushin spoke about how the group recently showed an impressive and worrisome ability to breach industrial control systems (ICS), effectively exploiting poorly or improperly configured ICSs. 

According to Dobrushin, GhostSec is a loose consortium of threat actors formed in 2015 that originally targeted the ISIS terrorist group’s digital infrastructure.  Historically, the group’s activities have tended to coalesce around prominent issues du jour – less from any overall guiding ideology than from a simple desire for media attention. More recently, GhostSec claimed credit for attacking a Russian hydroelectric power plant’s ICS to protest the Russian Federation war against Ukraine. That attack reportedly caused a massive explosion and emergency shutdown of the power plant’s operations. This fall, the group turned its support to the recent waves of Hijab protests in Iran.

The group’s agenda literally changes with the ebb and flow of public attention. "Last month it was Israel, as part of their pro-Palestinian agenda," noted Dobrushin. "This month, it’s the Iranian government and different entities connected to the Iranian government. We think that their main motivation is really to gain fame."

A Shift in Tactics

Recently, Dobrushin said, the group seems to have switched tactics. It’s begun targeting ICS systems in critical infrastructure installations and specific PLCs in various industrial players on a country-specific basis. The group is polishing their knowledge of open-source tools, different OT protocols, and their capabilities, gaining access to devices such as Human Machine Interfaces (HMIs) and Programmable Logic Controllers (PLCs) with weak security configurations.

The implications of this new focus on OT and country-specific targeting are disturbing. The ICS systems under attack today are similar to those used in sensitive verticals like energy, pharmaceuticals, and water. For example, in September GhostSec published evidence that it had taken control of a system controlling pH and chlorine levels in an Israeli hotel swimming pool by breaching an Aegis II controller manufactured by ProMinent.

The group has become adept at exploiting ICS misconfigurations, claims Dobrushin. The most common ICS misconfigurations are things like segmentation, connecting devices directly to the Internet, or leaving default credentials on new installations. Surprisingly, these basic oversights happen even in organizations that are highly aware of cybersecurity issues. One reason for this is that "the people who are responsible for the operations and installing [a PLC/ICS] system are not the same ones responsible for securing it." In other words, a lack of coordination between security teams – which are still frequently focused on IT more than OT – and OT operations is leaving companies vulnerable to hacking from groups like GhostSec.

The Implications of Recent Breaches

The fact is that GhostSec views themselves as hacktivists, Dobrushin emphasized. They’re apparently not in it for money and not necessarily to inflict serious damage. Rather, they are trying to raise awareness for various causes that they perceive as just. From this perspective, GhostSec is more of a nuisance than a serious threat.

However, the vulnerabilities they exploit and the methods GhostSec develops are closely watched by hacking groups with far less ethical or moral restraints. GhostSec "is one of the first groups to use the open source tools that are available for ICS communication," said Dobrushin. The ease of attack that GhostSec is demonstrating can easily inspire copycat attacks, he continued. And this is the true danger of GhostSec.


"Our technology helps industrial networks raise their walls and protect themselves better" from vulnerabilities like those exploited by GhostSec, Dobrushin noted. Preferring solutions based on orchestration and automation, as opposed to "just putting another sensor in the network," OTORIO’s research team also focuses significant efforts on creating freely-downloadable open source OT security tools. Additionally, Dobrushin and his team closely monitor hacking groups like GhostSec alongside newly-discovered vulnerabilities – providing real-time alerts to the OT security community when needed.

Overall, Dobrushin said, OTORIO and his team strive to ensure that IT and OT stakeholders can collaborate effectively, use the same language by creating an ecosystem where everyone is in the loop, and each side understands the needs and priorities of the other. In this way, organizations can be confident that they are mounting the most effective defense against organizations like GhostSec and GhostSec-inspired threat actors.

Safeguarding ICS and PLC devices

OTORIO's reconOT helps critical infrastructure companies and industrial manufacturers prevent breaches that can impact ICS and PLC devices. It does so via automatic, OT-centric reconnaissance to discover a company's assets and OT security vulnerabilities as a potential attacker would see them.

To learn more, contact OTORIO's OT security professionals.