A hacktivist collective called GhostSec has claimed credit for compromising up to 55 Berghof programmable logic controllers (PLCs) used by Israeli organizations as part of a “Free Palestine” campaign.
Industrial cyber security firm OTORIO, which dug deeper into the incident, said the breach was made possible due to the fact that the PLCs were accessible over the Internet and were secured by supposedly trivial credentials.
Details of the compromise first came to light on September 4 after GhostSec shared a video on its Telegram channel demonstrating a successful login to the PLC admin panel in addition to dumping data from the hacked controllers.
The Israeli company said system downloads and screenshots were exported directly from the admin panel after unauthorized access to the controllers via their public IP addresses.
GhostSec (aka Ghost Security), first identified in 2015, is a self-proclaimed vigilante group that was originally created to target ISIS websites that preach Islamic extremism.
Earlier this February, the group rallied its support for Ukraine shortly after Russia’s military invasion of the country. Since the end of June, she has also participated in a campaign targeting Israeli organizations and enterprises.
“The group shifted from their regular operations and began targeting multiple Israeli companies, apparently gaining access to various IoT interfaces and ICS/SCADA systems, which led to potential disruptions,” Cyberint noted on July 14.
The attacks against Israeli targets, dubbed “#OpIsrael”, reportedly began on June 28, 2022, citing “continued attacks by Israel on Palestinians”.
In the interim, GhostSec has carried out a number of attacks, including those targeting exposed web interfaces belonging to Bezeq International and an ELNet energy meter located at the Scientific Industries Center (Matam).
The Berghof PLCs breach, seen in this light, is part of a wider actor shift to hit the SCADA/ICS domain, although it appears to be a case where the group took advantage of “easily overlooked industrial systems bugs” to carry out the attacks.
“Despite the low impact of this incident, this is an excellent example where a cyberattack could have been easily avoided with simple and proper configuration,” the researchers said.
“Disabling public exposure of online assets and maintaining a good password policy, especially changing the default login credentials, would cause the hacktivist’s breach attempt to fail.”
GhostSec, meanwhile, has continued to post more screenshots, claiming to have gained access to another control panel that can be used to change chlorine and pH levels in water.
“I hope you all can understand our decision not to attack their pH levels and risk a chance to harm the innocents of #Israel,” the group said in a tweet posted over the weekend. Our “war” has always been FOR the people and not against them. #FreePalestine”
