GhostSec Hacker Group Compromised 55 Berghof PLC Industrial Control Devices in Israel
Industrial cybersecurity company OTORIO on September 6, local time, released details of the GhostSec hacking group that took control of 55 Berghof programmable logic controllers (PLCs) on organizations and platforms in Israel. GhostSec, which was observed targeting Israeli groups and platforms last week, announced on social media and its Telegram channel that the group had successfully compromised the devices, OTORIO said.
“In its release, GhostSec attached a video showing a successful login to the PLC’s admin panel, as well as an HMI screen image showing its current status and PLC process control, as well as showing that the PLC has been blocked,” OTORIO Research Team leader David Krivobokov wrote in a company blog post.
OTORIO assesses that such security breaches can be very dangerous in an OT (operational technology) environment, as they affect physical processes and, in some cases, even lead to life-threatening situations. “While GhostSec purports to be a sophisticated cyberattack, the incident reviewed here is just an unfortunate case of an easily overlooked misconfiguration in an industrial system that led to an extremely simple attempt to compromise the system itself.”
Also, Read to Know: What are the Best Certifications for Cyber Security Freshers?
Krivobokov observed that while the HMI may not have been accessed or manipulated by GhostSec and the Modbus interface was not exploited by the hackers, it showed unfamiliarity with the OT domain. “As far as we know, GhostSec did not cause serious damage to the affected systems and was simply an attempt to draw attention to the hacking group and its activities,” he added.
Although the impact of this incident is small, it is a good example of how a cyber attack can be easily avoided with a simple, correct configuration. For example, deploy virtual machine disaster recovery systems, such as RHV backup, VMware backup, and so on. Besides, prohibiting public exposure of assets on the Internet and maintaining good password policies, especially changing default login credentials, will prevent attackers from failing attempts at compromise.
The OTORIO team observed published system dumps of the ZIP archives (part_1.zip and part_2.zip), which revealed the public IP addresses of the affected PLCs. “This indicates that the devices have been/publicly exposed to the internet. Both archives contain the same type of data – system dumps and HMI screenshots, which are exported directly from the Berghof admin panel. The panel has this feature by design, allowing The logged-in user creates backups and sees the current HMI status with screenshots.”
Krivobokov said the IPs were still accessible over the internet while the company was investigating. Access to the admin panel is password protected. However, trying some defaults and common credentials can log in successfully. “Just visit the ‘Screenshots’ tab to take and view HMI screenshots. Just visit the ‘System Dump’ tab in the admin panel to complete a system dump,” he added.
“While accessing the management panel gives full control over some functions of the PLC, it cannot directly control industrial processes,” Krivobokov said. “It may affect the process to some extent, but the actual process configuration itself is not available from the admin panel alone.”
Krivobokov further added that from the research, “We concluded that Berghof used CODESYS technology as its HMI and was also accessible via a browser at a certain address. Based on our observations of the GhostSec breach-proof, we do not know whether GhostSec obtained access to the HMI. But we have confirmed that the HMI screen is also public.”
Next, can read: Security of Digital Products. Why is It So Important?
