GhostSec Strikes Again in Israel Alleging Water Safety Breach

14 Sep 2022

By David Krivobokov, Research Team Leader

Last week we shared our research insights into GhostSec’s claimed breach of 55 Berghof PLCs in Israel. This weekend, on September 10, 2022, the hacktivist group published another announcement alleging that it successfully breached another controller in Israel.

According to images that the GhostSec published, the group appeared to have taken control of a water system’s pH and chlorine levels. In the published message, the hacktivists said they “understand the damages that can be done …” and that the “Ph pumps” are an exception for their anti-Israeli cyber campaigns.

Unlike the hacktivist’s activity that we reported on last week, this time they did not provide specific details about the hack (e.g., an IP address, data dumps of the breached system) except for a few screenshots.

As with the previous case, we wanted to understand how GhostSec gained access to the newly breached controller, and without specific indicators, it was a bit of a challenge. However, based on data we saw in the image, OTORIO’s Research team successfully tracked the affected system and got an impression of what appeared to be “breached” and how.



The Breached Controller

The affected controller is an Aegis II controller manufactured by ProMinent:

AEGIS II Controller - ProMinent


The company’s website describes it as follows:

Controller AEGIS II continuously measures and controls the conductivity and biocide concentration to keep pipework and heat exchangers clean.

The AEGIS II Controller’s applications include:

  • Control of bleeding in evaporation cooling systems
  • Volume-proportional control or regulation of the metering of corrosion inhibitors, de-foamers and dispersants
  • Measurement and control of the inhibitor concentration through the use of a fluorescence sensor
  • Measurement and optionally control of the pH value and ORP voltage
  • Metering of biocides, based on time or measured values

While the system does measure pH levels and other parameters, its usage seems to be more oriented at non-drinking water, as drinking water requires a much more diverse range of parameters monitored and configured. There are additional findings that support the assumption that this system is not intended to regulate drinking water parameters.

Finding the Actual Victim

Now that we knew more about the affected controller, we tried to find the exact system that was breached by GhostSec. After searching for Aegis II controllers that are exposed to the Internet in Israel, we successfully located the breached one.

Interestingly, the IP address correlates with IP ranges associated with breaches from the last week. Perhaps the group is scanning the IP addresses in this range for potential new targets.

Our research found two pool controllers that could be affected. While we do not know for certain, it appears that the most likely aim of the breach was for the attackers to demonstrate that they had the ability to control the water’s pH in the hotel's pools as GhostSec’s Telegram message alleged.

Sadly, like our previous industrial OT security research involving water safety, the admin panels of the AEGIS II controllers for these two pools are also accessible by using the default passwords provided in the vendor’s manual.

Resolution of the OT Security Breach

OTORIO informed Israel’s Cyber Emergency Response Team (CERT) about the details of this breach and closely cooperated with the authorities to resolve it quickly. At the time of this writing, the controller is no longer available via public access.

Once again, this incident is a rather sad example of a business maintaining a poor password policy where the default credentials simply weren’t changed. Yet even with the hotel’s failure to change the default password, the system was also exposed to the internet, making it an extremely easy target for cyber attacks.

Even though the damage – this time –  is not as critical as it could have been, despite GhostSec’s assertion that the hackers could have made things much worse, the hacktivist group’s Telegram message promised not to mess with Israel’s water supply. On a different day, or with another hacker group, the risks from a similar cyber attack are potentially enormous.

In general, GhostSec’s recent breaches demonstrate how bad the cybersecurity situation can be when it comes to industrial control systems a/k/a ICS. These latest public breaches hint at additional ones of which we are not yet aware, or which may likely happen in the future.

OTORIO “s reconOT helps critical infrastructure companies and industrial manufacturers prevent these and similar kinds of breaches that can affect water controllers and PLC devices. It does so via automatic, OT-centric reconnaissance to discover a company’s assets and OT security vulnerabilities as a potential attacker would see them.

To learn more, contact OTORIO’s OT security professionals.