Pierluigi Paganini September 13, 2022

The hacktivist collective GhostSec claimed to have compromised 55 Berghof PLCs used by Israeli organizations.

Pro-Palestinian Hacking Group GhostSec claimed to have compromised 55 Berghof programmable logic controllers (PLCs) used by Israeli organizations as part of a Free Palestine campaign.

On September, 4th, 2022, GhostSec announced on social media and its Telegram channel that it has compromised 55 Berghof PLCs used by organizations in Israel.

GhostSec also published a video demonstrating a successful log-in to the PLC’s admin panel along with screenshots of an HMI screen showing some phases of the attack, including the block of the PLC.

“In the message it published, GhostSec attached a video demonstrating a successful log-in to the PLC’s admin panel, together with an image of an HMI screen showing its current state and control of the PLC process, and another image showing that the PLC had been stopped. In the following message (inset) the group published the dumped data from the breached PLCs.” reported the analysis published by Industrial cybersecurity firm OTORIO.

The analysis of the system dumps published by the collective (part_1.zip and part_2.zip) revealed the public IP addresses of the affected PLCs, OTORIO experts speculate that they were exposed online at the time of the attack.

The leaked archives contained system dumps and HMI screenshots, obtained from the Berghof admin panel of the compromised PLCs.

The experts believe that the threat actors gained access to the admin panel of the PLCs by using default and common credentials.

The experts pointed out that although access to the admin panel provides full control over some of the PLC’s functionality, it does allow operators to directly control the industrial process.

“It is possible to affect the process to some extent, but the actual process configuration itself isn’t available solely from the admin panel.” continues the experts.

The researchers explained that even if the attack was not sophisticated, the compromise of an OT infrastructure can be extremely dangerous. They added that GhostSec likely hasn’t capabilities to conduct cyber attacks in the OT domain.

“Unlike cyber attacks on IT infrastructure, OT security breaches can be extremely dangerous since they can affect physical processes and, in some cases, even lead to life-threatening situations.” concludes the report. “While GhostSec’s claims are of a sophisticated cyber attack, the incident reviewed here is simply an unfortunate case where easily overlooked misconfigurations of industrial systems led to an extremely unsophisticated attempt to breach the systems themselves. The fact that the HMI probably wasn’t accessed, nor manipulated by GhostSec, and the hackers were not exploiting the Modbus interface, shows an unfamiliarity with the OT domain. To the best of our knowledge, GhostSec hadn’t brought critical damage to the affected systems, but only sought to draw attention to the hacktivist group and its activities.“

GhostSec also published other screenshots, claiming to have gained access to another control panel that can be used to modify the level of chlorine and pH levels in the water.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, PLCs)

[adrotate banner=”5″]

[adrotate banner=”13″]