Industrial cybersecurity firm Otorio has published details of an investigation into claims of a hacktivist group called “GhostSec” that they have successfully compromised 55 Berghof PLC devices used by organizations across Israel.
As proof of their claims the group posted a video demonstrating a successful log-in to the PLC’s admin panel, an image of an HMI screen showing its current state and control of the PLC process, and another image showing that the PLC had been stopped. The hacktivists also published the dumped data from the breached PLCs.
During the analysis of the damp the researchers found the public IP addresses of the compromised PLCs, indicating that that the devices were/are exposed on the internet. Further investigation revealed that the IP address belonged to a password-protected Berghof admin panel, but the researchers were able to log-in after trying a few default and common credentials.
“Although access to the admin panel provides full control over some of the PLC’s functionality, it does not provide direct control over the industrial process. It is possible to affect the process to some extent, but the actual process configuration itself isn’t available solely from the admin panel,” Otorio wrote in the report.
“From our research, we concluded that Berghof uses CODESYS technology as its HMI, and is also accessible via the browser at a certain address. From our observations of GhostSec’s proofs of breach, we did not know whether GhostSec gained access to the HMI. But we’ve confirmed that the HMI screen was also publicly available.”
The researchers noted that GhostSec probably didn’t access or manipulate the HMI and was not exploiting the Modbus interface, which indicates an unfamiliarity with the OT domain.
“While GhostSec’s claims are of a sophisticated cyber attack, the incident reviewed here is simply an unfortunate case where easily overlooked misconfigurations of industrial systems led to an extremely unsophisticated attempt to breach the systems themselves … To the best of our knowledge, GhostSec hadn’t brought critical damage to the affected systems, but only sought to draw attention to the hacktivist group and its activities,” Otorio wrote.