[German]In early September, OTORIO reported that the GhostSec hacktivist group had penetrated 55 Berghof PLC systems in Israel. Now the hacktivist group published another report claiming to have successfully penetrated more industrial control systems. OTORIA provided me with some information about these attacks, which I publish here on the blog.
Advertising
According to the images released by GhostSec, the group appeared to have taken control of the pH and chlorine levels of a water system. In the published message, the hacktivists stated that they "understand the damage that can be done…" and that the "pH pumps" are an exception to their anti-Israel cyber campaigns.
Unlike the hacktivist activity reported by OTORIO last week, this time no specific details about the hack (e.g. an IP address, data dumps of the attacked system) have been released except for a few screenshots. As in the case linked above, OTORIO security specialists wanted to find out how GhostSec gained access to the freshly cracked controller. However, using the data in the image, the OTORIO research team was able to successfully track down the affected system and get an idea of what and how it appears to have been breached.
The controller under attack
The affected controller is an Aegis II Controller des Herstellers ProMinent, which is described on the company's website as follows:
Advertising
The AEGIS II Controller continuously measures and controls conductivity and biocide concentration to keep piping and heat exchangers clean.
Applications for the AEGIS II Controller include:
- Control of deaeration in evaporative cooling systems
- volume proportional control or regulation of the dosing of corrosion inhibitors, defoamers and dispersants
- measurement and control of inhibitor concentration by using a fluorescence sensor
- Measurement and, if necessary, control of the pH value and the redox voltage
- Dosing of biocides, based on time or measured values
While the system measures pH and other parameters, its use appears to be geared more toward non-potable water, as a much wider range of parameters must be monitored and configured for potable water. Other details indicate that this system is not intended to control drinking water parameters.
The search of the victim
Now that the security researchers knew more about the affected controller, they tried to find the system that GhostSec had penetrated. After searching for Aegis II controllers accessible via the Internet in Israel, they managed to find the attacked controller.
Interestingly, the IP address matches IP ranges associated with security breaches from the early September 2022 attack mentioned above. It is possible that the group is searching IP addresses in this range for potential new targets.
The research revealed that two swimming pool controllers might be affected. Thus, it seems that the most likely goal of the intrusion was to show that the attackers are able to control the pH of the water in the hotel's pools. This was claimed in the Telegram message from GhostSec.
Vulnerabilities: Internet and default passwords
Unfortunately, as with the earlier OT water hygiene security study, the administration panels of the AEGIS-II controls for these two pools are also accessible via the default passwords specified in the manufacturer's manual.
OT security breach remediation
OTORIO informed the Israeli Cyber Emergency Response Team (CERT)
of the details of the security breach and worked closely with authorities to quickly resolve the incident. Currently, the controller is no longer publicly accessible.
This incident is yet another example of a company that had a poor password policy and simply did not change the default credentials. Moreover, the system was exposed to the Internet anyway, which made it an extremely easy target for cyberattacks.
Even though the damage – this time – is not as great as it could have been, the hacker group promised in its Telegram message that it would not attack Israel's water supply. GhostSec claims the hackers could have done worse. In the case of another active hacker group, the risks of a similar cyberattack could potentially be enormous.
More broadly, GhostSec's recent activities demonstrate how poor the state of cybersecurity is in industrial control systems (ICS). These recent publicly disclosed incidents suggest others that OTORIO is not yet aware of or that may occur in the future.
OTORIO is an operational technology (OT) security company that provides "end-to-end" solutions for proactive digital risk management in industrial enterprises.
