[German]Since the political turmoil, government agencies and companies in Iran have found themselves in the focus of hackers who successfully break into IT systems. Web presences of TV stations are changed or the hackers penetrate IT systems and extract data. For example, Iran's Atomic Energy Agency had to admit that they were hacked (happened only after data became public). I also have a description of how hackers penetrate Iranian industrial facilities. Below is a brief overview.
Advertising
Hacking attacks on Atomic Energy Agency
It had been going through the media for a few days: hackers had penetrated the IT systems at Iran's Atomic Energy Agency and stolen documents. The Register reports in the articleHacktivists say they stole 100,000 emails from Iran's nuclear energy agency that those responsible dismissed them as a PR stunt by the media. Only when they were published did the agency's officials admit to the hack.
The colleagues from Bleeping Computer have picked up on this and point out the issue in the above tweet.
Attacks on Iran's industrial plant control systems
Security experts at Otorio also provided me with details of an analysis of industrial control systems (ICS) attacks. The group of "GhostSec" hacker activists was recently observed targeting Israeli PLCs (Programmable Logic Controllers) – probably to demonstrate their hacking capabilities in the field of ICS (Industrial Control Systems).
In their recent campaigns, hacktivists have turned their attention to the hijab protest waves in Iran and are now attacking Iranian control systems in industrial plants. David Krivobokov, Research Team Leader at OTORIO, writes:
Advertising
The hackers have released several images as evidence of successfully "hacked" systems. These show the use of SCADA modules from the Metasploit framework and a MOXA E2214 controller admin Web portal after a successful login. While it is not clear what the ultimate damaging impact of the "breached" systems is, the case again demonstrates the ease and potential impact of attacking ICS systems that have inadequate security controls.
Below are the hackers' illustrations of these attacks from GhostSec's Telegram channel, which shows the use of the Metasploit framework.
The GhostSec attackers used a Metasploit framework, very commonly used by security researchers and pen testers, for the hacks. Metasploit is an extremely powerful and modular framework that enables the execution of a wide range of attacks against remote assets.
Kali Linux – a Linux distribution for hackers – includes Metasploit "out-of-the-box" and comes with specific modules for attacks on OT systems. With this toolbox, even inexperienced hackers are able to inflict significant damage on ICS targets. In many cases, they can simply scan the Internet for potential ICS targets that have open ports associated with industry protocols, such as Modbus on port TCP 502 or CIP on TCP port 44818, and then apply the Metasploit SCADA modules or other ICS attack tools to them.
The most disturbing part of this development is that GhostSec compromised PLC web interfaces two weeks ago. Meanwhile, the group is starting to look for new open-source tools and further investigate various OT protocols and their capabilities. The hacktivist group appears to be highly motivated and has capabilities that are getting stronger each time.
OTORIO's recommendation for organizations with vulnerable PCLs or ICSs: make sure there is no direct access from the Internet to your OT devices, especially to their operational services. Also, invest in minimal cyber-security measures such as continually changing default passwords.
Finally, here is a link to this article from fdd.org with an analysis of Iran's cyber attack ambitions.
Advertising
