By David Krivobokov, Research Team Leader
Last week we shared our research insights into GhostSec’s claimed breach of 55 Berghof PLCs in Israel. This weekend, on September 10, 2022, the hacktivist group published another announcement alleging that it successfully breached another controller in Israel.
According to images that the GhostSec published, the group appeared to have taken control of a water system’s pH and chlorine levels. In the published message, the hacktivists said they “understand the damages that can be done …” and that the “Ph pumps” are an exception for their anti-Israeli cyber campaigns.
Unlike the hacktivist’s activity that we reported on last week, this time they did not provide specific details about the hack (e.g., an IP address, data dumps of the breached system) except for a few screenshots.
As with the previous case, we wanted to understand how GhostSec gained access to the newly breached controller, and without specific indicators, it was a bit of a challenge. However, based on data we saw in the image, OTORIO’s Research team successfully tracked the affected system and got an impression of what appeared to be “breached” and how.
The affected controller is an Aegis II controller manufactured by ProMinent:
The company’s website describes it as follows:
Controller AEGIS II continuously measures and controls the conductivity and biocide concentration to keep pipework and heat exchangers clean.
The AEGIS II Controller’s applications include:
While the system does measure pH levels and other parameters, its usage seems to be more oriented at non-drinking water, as drinking water requires a much more diverse range of parameters monitored and configured. There are additional findings that support the assumption that this system is not intended to regulate drinking water parameters.
Now that we knew more about the affected controller, we tried to find the exact system that was breached by GhostSec. After searching for Aegis II controllers that are exposed to the Internet in Israel, we successfully located the breached one.
Interestingly, the IP address correlates with IP ranges associated with breaches from the last week. Perhaps the group is scanning the IP addresses in this range for potential new targets.
Our research found two pool controllers that could be affected. While we do not know for certain, it appears that the most likely aim of the breach was for the attackers to demonstrate that they had the ability to control the water’s pH in the hotel's pools as GhostSec’s Telegram message alleged.
Sadly, like our previous industrial OT security research involving water safety, the admin panels of the AEGIS II controllers for these two pools are also accessible by using the default passwords provided in the vendor’s manual.
OTORIO informed Israel’s Cyber Emergency Response Team (CERT) about the details of this breach and closely cooperated with the authorities to resolve it quickly. At the time of this writing, the controller is no longer available via public access.
Once again, this incident is a rather sad example of a business maintaining a poor password policy where the default credentials simply weren’t changed. Yet even with the hotel’s failure to change the default password, the system was also exposed to the internet, making it an extremely easy target for cyber attacks.
Even though the damage – this time – is not as critical as it could have been, despite GhostSec’s assertion that the hackers could have made things much worse, the hacktivist group’s Telegram message promised not to mess with Israel’s water supply. On a different day, or with another hacker group, the risks from a similar cyber attack are potentially enormous.
In general, GhostSec’s recent breaches demonstrate how bad the cybersecurity situation can be when it comes to industrial control systems a/k/a ICS. These latest public breaches hint at additional ones of which we are not yet aware, or which may likely happen in the future.
OTORIO “s reconOT helps critical infrastructure companies and industrial manufacturers prevent these and similar kinds of breaches that can affect water controllers and PLC devices. It does so via automatic, OT-centric reconnaissance to discover a company’s assets and OT security vulnerabilities as a potential attacker would see them.
To learn more, contact OTORIO’s OT security professionals.