Hacktivist Group GhostSec Breaches Israeli PLCs as Part of “Free Palestine” Campaign
In a significant cybersecurity incident, the hacktivist collective GhostSec has taken responsibility for compromising approximately 55 Berghof programmable logic controllers (PLCs) employed by various Israeli organizations. This action is a component of their ongoing “Free Palestine” campaign, which has escalated recently amid geopolitical tensions.
An analysis by the industrial cybersecurity firm OTORIO revealed that the breach was facilitated due to the PLCs being directly accessible via the Internet, coupled with easily guessed login credentials. This exposure underscores the vulnerability of industrial systems when adequate security measures are lacking.
The breach came to light on September 4, when GhostSec publicly showcased a video on their Telegram channel. The footage documented their successful login to the PLC’s admin panel and demonstrated the exfiltration of data from the compromised devices. The Israeli firm confirmed that the screenshots and system dumps were retrieved directly from the admin panel following unauthorized access through the PLCs’ public IP addresses.
Founded in 2015, GhostSec, also known as Ghost Security, started as a vigilante group targeting ISIS-related websites promoting extremist ideologies. Over the years, the group has broadened its focus, recently expressing support for Ukraine during its conflict with Russia. Since June, they have shifted their attention toward Israeli enterprises, with operations labeled “#OpIsrael,” initiated in response to ongoing hostilities in the region.
Cyberint, a cybersecurity analysis firm, reported that GhostSec has transitioned to targeting multiple Israeli companies, likely leveraging various IoT interfaces and ICS/SCADA systems, which could result in potential operational disruptions. Notable attacks have included those aimed at Bezeq International and a power meter from ELNet located at the Scientific Industries Center in Matam.
The breach of Berghof PLCs reflects a notable pivot by GhostSec towards the SCADA and ICS domains. This shift highlights their ability to exploit “easily overlooked misconfigurations” within industrial systems. Experts emphasize that while the immediate impact appears limited, the incident illustrates how simple security measures—such as disabling public exposure to the Internet and enforcing a robust password policy—could significantly mitigate the risk of such attacks.
Continuing its activity, GhostSec has released screenshots indicating access to another control panel capable of manipulating chlorine and pH levels in water systems. In a recent tweet, the group expressed caution, asserting their intent to avoid harm to civilians while promoting their cause. This statement reflects the complex ethical considerations present in modern cyber operations, particularly in politically charged contexts.
The incident serves as a pertinent reminder of the significance of cybersecurity in protecting critical infrastructure from unauthorized access. The MITRE ATT&CK framework identifies techniques such as initial access, exploitation of public-facing applications, and credential dumping that may have played a role in this attack. As businesses become increasingly interconnected, vigilance in cybersecurity practices is essential to safeguard against evolving threats.
