A hacktivist group has made bold claims regarding an attack on an industrial control system (ICS) device, but industry professionals have questioned their claims.
The hacktivist group known as GhostSec, whose recent operations have focused on ‘punishing’ Russia for its invasion of Ukraine, claims to have conducted the first ever ransomware attack against a remote terminal unit (RTU), a type of ICS device used for communications between field devices and supervisory control and data acquisition (SCADA) systems.
“We just encrypted the first RTU in history! A small device designed only for an ICS environment,” the hackers said. “The age of ransomware coded to attack ICS devices just became a thing, and we were the first.”
The group said the hacked device is located in Belarus, one of Russia’s biggest allies. While the attack was described as ransomware because files on the device were encrypted, there wasn’t an actual ransom demand.
Several experts, including ones from ICS security companies, analyzed the hacktivists’ claims based on the screenshots they made available. The screenshots show that the attackers managed to encrypt some of the files hosted on the device, just like in a ransomware attack.
The first aspect that most experts pointed out is that the targeted device is the Teleofis RTU968, a product described by the Russia-based vendor as a 3G router designed for connecting industrial and commercial facilities to the internet. While the device is labeled as an RTU and can technically be used as an RTU due to the fact that it supports industrial interfaces, it’s not specifically designed for this purpose.
In addition, unlike RTUs made by major vendors such as Siemens, which run operating systems that are custom-built for industrial applications, the Teleofis device runs OpenWrt, a widely used Linux operating system designed for embedded devices.
Ransomware that can encrypt files on a Linux device is not new and there is no indication that encrypting files on the Teleofis device is more difficult. In addition, hacking these types of communication gateways that provide remote connectivity to serial devices is also not new, pointed out industrial cybersecurity firm SynSaber.
“Given that these devices are running generic Linux kernels that happen to be providing connectivity to serial devices (which, of course, could be industrial), there’s nothing in the evidence supplied by GhostSec that industrial was specifically attacked or that this attack represents a new paradigm shift in industrial hacking,” explained Ron Fabela, the CTO of SynSaber.
Industrial cybersecurity company Otorio has also analyzed the hackers’ claims and noted, “In order to create a ransomware type of attack on a common RTU, it would require GhostSec to have deeper OT knowledge and resources, such as experimenting with real OT engineering tools and devices. The Teleofis device is OpenWrt based, which is basically Linux, and does not introduce any new, real OT capability.”
Otorio believes the attackers gained initial access to the router by leveraging weak authentication.
Cybersecurity company Claroty’s investigation reached the same conclusion. Its researchers found that the device has a pre-configured SSH service that can be accessed using a pre-configured root password that can be easily cracked.
Claroty has identified nearly 200 internet-exposed Teleofis RTU968 routers in Russia, Kazakhstan and Belarus, and 117 of them had the SSH service enabled.
Researcher Joe Slowik has also analyzed GhostSec’s claims and found that the hackers’ ransomware apparently wasn’t even able to encrypt all files running on the device — in-use files were not encrypted, which limits the impact of the attack.
This is not the first time GhostSec claims to have hacked ICS devices. In September, they claimed to have hijacked programmable logic controllers (PLCs) and a human-machine interface (HMI) in Israel, but their claims again seemed overblown.
While GhostSec’s claims may not be entirely accurate, ransomware attacks can and have caused serious problems for industrial organizations and the industrial systems they are using, even if ICS is in many cases not directly targeted.
In addition, researchers have shown that threat actors could in fact launch ransomware attacks aimed directly at ICS devices. Red Balloon Security showed one year ago how malicious actors could implement ransomware on a protection relay.
On the other hand, this research and the recent incidents do not necessarily mean that ransomware attacks directly targeting ICS devices will become common and widespread in the near future.
“The requirements and implications of ‘true’ industrial ransomware at the RTU or PLC level make this a very unlikely domain for criminals to operate in,” Slowik said. “The payoffs appear too meager to justify both the technical investment and political risk associated with such an action, as outlined above. Instead, it simply makes greater sense economically for such entities to remain in the same space that they’ve resided in for some time: impacting IT and IT-like systems to elicit payment from organizations while attempting to avoid ‘worst case’ societal impacts that bring greater attention from governments and law enforcement.”
Related: BlackCat Ransomware Targets Industrial Companies
Related: Ransomware Gang Leaks Files Stolen From Industrial Giant Parker Hannifin
Related: Industrial Ransomware Attacks: New Groups Emerge, Manufacturing Pays Highest Ransom