Hacktivists taking a more active role in ICS cybercrime activities
Introduction
Hacktivism is not a recent concept in society, but with increasing global instability due to changes in global security and economy, it has been observed that hacktivists are increasingly conducting cyber-related operations against state and private entities at a higher frequency than earlier observed.
Hacktivists are commonly driven by moral motivations, political agendas, religion, etc. In recent operations (mentioned below) launched by hacktivists, it is quite clear that the hacktivist community is targeting the Industrial Control Systems (ICS) and Supervisory Control and Data Acquisition (SCADA).
Industrial Control systems play a crucial role in every nation’s economy, energy sector, defense, public health sector, etc. Hence, targeting the ICS sector and any components within has become a new norm for the Hacktivist community.
Cyble Research Labs also observed Threat Actors actively discussing exploits and exposures regarding ICS/SCADA in cybercrime forums.
The Global Map below shows ongoing cyber operations launched by various hacktivist groups globally.
Recent Operations
#OpRussia
OpRussia has been an active operation launched by various anon groups and has been continued by hacktivists for quite some time now. The operation targeted various state and private organizations, including financial institutes, Oil and Gas (O&G) organizations, and the Energy and Transportation sectors.
The barrage of attacks included various data leaks of Personally Identifiable Information (PII), confidential information, tender details, DDoS attacks, etc.
While Advanced Persistence Threat groups were launching targeted attacks on electric facilities in Ukraine, numerous hacktivist groups started targeting critical infrastructures and ICS/SCADA components in Russia.
Below are the few critical and sensitive claims made by hacktivists:
Traffic Controller System
The Twitter handle Voltage claimed to have access to the “Traffic controller system of Russia,” as shown in Figure 2. A few days after, another Tweet provided the details of the exposed Traffic controller system, which, when verified, pointed toward “ASUDD Navigator.”
The same account continued to discuss and share more incidents related to ICS occurring across Russia. It also claimed to have access to critical infrastructure, including the water sector, Food sector, Toxic waste handling system, etc. One of the claims made by the Twitter handles was that the ICS/SCADA attacks carried out in Russia caused fires in various locations, as shown below.
Targeting devices running on IEC 104 and Modbus protocol
Multiple Twitter handles, including PucksReturn & GS_M4F14 (both accounts now suspended), claim that Ghostsec launched a large-scale attack on ICS systems in Russia taking care to avoid hospitals and education systems.
It should also be noted that the Tweet provides details on the number of devices attacked (104 at the time of the post).
Cyble Researcher Labs investigated the claims made by the hacktivist and found out that the IPs being targeted were from Russia.
Another key observation made by the researchers was that hacktivists narrow their targets by finding exposed devices with Application Service Data Unit (ASDU), devices running on port 502, and vendor-wise products.
The attacks used Metasploit IEC104 Module Script and killbus script (which targets devices running on port 502).
The attacks on the ICS components were continuous as the Twitter handle GS_M4F14 (account now suspended) claimed over 600 targets on IEC and Modbus clients, as shown below.
Gusinoozerskaya Hydro-Power Plant Incident
Recently an explosion occurred at Gusinoozerskaya Hydro-Power Plant, for which GhostSec has taken full responsibility. The figure below shows the claims made by the Hacktivists for the event.
Attacks on IEC devices, Modbus devices, and Moxa Devices
GhostSec also claims to have attacked over 2000+ ICS devices across Russia. Apart from IEC and Modbus devices, Moxa devices have been targeted, as shown in Figure 7.
Cyble Research Labs released an in-depth analysis of how Serial to Ethernet Devices can be a key element in sabotaging ICS Environments.
#OpJane
In the aftermath of recent changes to abortion laws in the United States, the Anonymous Hacktivist group launched “Operation Jane,” targeting individuals or entities trying to enforce this law since many hacktivists have shown resentment towards the new legislation.
During a routine investigation, Cyble researchers came across a TA on Telegram mentioning attacks on Industrial Control Systems, as shown in the figure below.
Cyble researchers investigated the claims made by analyzing the screenshots provided on the Telegram channel. The screenshots are provided below.
Researchers believe that the Metasploit module being used in the attack is “Allen-Bradley/Rockwell Automation EtherNet/IP CIP Commands,” This Metasploit module implements the CPU STOP command and can also crash the Ethernet card in an affected device.
Researchers verified the product by investigating IPs visible in the Telegram channel and confirmed that the product being attacked was indeed Rockwell PLC.
#OpIsrael
Operation Israel is one of the longest-running campaigns launched by Hacktivists, targeting Israeli organizations. Recently, however, it was observed that hacktivists were claiming attacks on ICS components within Israel.
Orot Yosef Power Plant
On July 14, 2022, a fire broke out at Orot Yosef Power Plant, located in Southern Israel. From the incident site, Arnold Nataev of the Israeli radio station Radio Darom 97 Tweeted that the source of the fire seemed to have been an air filter.
Almost immediately, the Iranian hacking group “Altahrea” claimed responsibility for the attack providing an IP address in their Telegram channel.
The Altahrea Team published images of the power plant fire on the channel, along with cryptic phrases like, “Do you smell gas or Benzen? Check the store…” as shown below.
The IP shared in the Telegram channel pointed toward an Energy Measuring device, EEM-MA770-PN, a product of Phoenix Contact.
The pro-energy measuring devices are universally deployable, high-precision, network-compatible measuring devices with LC displays. They can measure, evaluate, and process voltages and currents in one, two, and three-phase power supply systems.
The device was visible through one of the online scanners, as shown below.
It should be noted that every ICS environment is different depending upon its operations and processes. The TA’s claim of starting a fire within a power plant by compromising the energy measuring device is thus quite unlikely.
Another key element in this claim is that the IP was shared on the Telegram channel on July 14, 2022. The same IP can be seen in one of the claims made by GhostSec on July 7, 2022, in their Tweet, as shown below.
Gaining Access to ‘Or Akiva Pump Station’
On July 7, 2022, GhostSec claims to have sabotaged the Or Akiva Pump Station, which they shared an image of on their Telegram channel.
#OpIran
On June 27, 2022, the Threat Actor Gonjeshke Darand (Predatory Sparrow) attacked three Iranian steel plants associated with the Iranian Revolutionary Guard Corps (IRGC), commonly referred to as Sepah سپاه, and with the Resistance Mobilization Force/Basij (بسيج). The affected plants were:
- Khouzestan Steel Company (KSC)
- Mobarakeh Steel Company (Isfahan) (MSC)
- Hormozgan Steel Company (HOSCO)
The TAs provided one proof of concept video, followed by a confirmation from Khouzestan Steel Company (KSC) that they have halted production after technical issues following a cyberattack.
More details on the attack can be gathered from our recent analysis, “Iran’s Steel Plants Impacted due to cyberattack.”
Conclusion
Observing the recent trend of ICS attacks, it is fair to assume that Hacktivists and malicious attackers are continuously scanning and launching attacks on ICS components.
The use of open-source scanners, scripts, and tools is becoming a more feasible option for hacktivists. Hacktivists generally lack the resources needed to launch a targeted attack on critical infrastructure facilities, thus, mass-scale attacks are being launched on ICS devices using tools such as Metasploit.
It should be noted that every critical facility has its own process, operations, and security measures. Hence, not all attacks targeting a given facility are necessarily successful.
Hacktivists’ claims are often made just to bring attention to their operations or the issue for which they are launching attacks, making their claims bogus. However, it is surprising to see how closely hacktivists can infiltrate an Industrial Control System using limited skillsets and resources.
If an organization is not following Industrial standards, using vulnerable devices, default factory passwords, or has important assets exposed over the internet, hacktivists can easily sabotage organizations’ operations, impacting multiple processes.
Recommendations
- Keep systems updated with the recent patches released by official vendors.
- Maintain visibility of assets within the ICS environment; Software Bill of Materials can be of significant use to keep track of assets.
- Continuous monitoring and logging are necessary for tracking unusual events within an ICS environment.
- Keep track of advisories and alerts released by official vendors and Government bodies like the Computer Emergency Response Team (CERT).
- Proper network segmentation is necessary to stop intruders from manipulating critical devices within a facility.
- Ensure that ICS components are not exposed over the internet as they can become easy targets for attackers.
- Follow a strong password policy within an organization and ensure that the factory default passwords have been changed.
- Regular audits and VAPT exercises are necessary to find security loopholes that an attacker might exploit.
- Emphasize the physical security of ICS assets.
- Cyber security awareness training is necessary for an organization’s employees to understand emerging threats better.
