Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

ICS/OT

Cybersecurity Experts Cast Doubt on Hackers’ ICS Ransomware Claims

A hacktivist group has made bold claims regarding an attack on an ICS device, but industry professionals have questioned their claims.

OT Ransomware Attacker

A hacktivist group has made bold claims regarding an attack on an industrial control system (ICS) device, but industry professionals have questioned their claims.

The hacktivist group known as GhostSec, whose recent operations have focused on ‘punishing’ Russia for its invasion of Ukraine, claims to have conducted the first ever ransomware attack against a remote terminal unit (RTU), a type of ICS device used for communications between field devices and supervisory control and data acquisition (SCADA) systems.

“We just encrypted the first RTU in history! A small device designed only for an ICS environment,” the hackers said. “The age of ransomware coded to attack ICS devices just became a thing, and we were the first.”

The group said the hacked device is located in Belarus, one of Russia’s biggest allies. While the attack was described as ransomware because files on the device were encrypted, there wasn’t an actual ransom demand.

Several experts, including ones from ICS security companies, analyzed the hacktivists’ claims based on the screenshots they made available. The screenshots show that the attackers managed to encrypt some of the files hosted on the device, just like in a ransomware attack.

The first aspect that most experts pointed out is that the targeted device is the Teleofis RTU968, a product described by the Russia-based vendor as a 3G router designed for connecting industrial and commercial facilities to the internet. While the device is labeled as an RTU and can technically be used as an RTU due to the fact that it supports industrial interfaces, it’s not specifically designed for this purpose.

In addition, unlike RTUs made by major vendors such as Siemens, which run operating systems that are custom-built for industrial applications, the Teleofis device runs OpenWrt, a widely used Linux operating system designed for embedded devices.

Ransomware that can encrypt files on a Linux device is not new and there is no indication that encrypting files on the Teleofis device is more difficult. In addition, hacking these types of communication gateways that provide remote connectivity to serial devices is also not new, pointed out industrial cybersecurity firm SynSaber.

“Given that these devices are running generic Linux kernels that happen to be providing connectivity to serial devices (which, of course, could be industrial), there’s nothing in the evidence supplied by GhostSec that industrial was specifically attacked or that this attack represents a new paradigm shift in industrial hacking,” explained Ron Fabela, the CTO of SynSaber.

Industrial cybersecurity company Otorio has also analyzed the hackers’ claims and noted, “In order to create a ransomware type of attack on a common RTU, it would require GhostSec to have deeper OT knowledge and resources, such as experimenting with real OT engineering tools and devices. The Teleofis device is OpenWrt based, which is basically Linux, and does not introduce any new, real OT capability.”

Otorio believes the attackers gained initial access to the router by leveraging weak authentication.

Cybersecurity company Claroty’s investigation reached the same conclusion. Its researchers found that the device has a pre-configured SSH service that can be accessed using a pre-configured root password that can be easily cracked.

Claroty has identified nearly 200 internet-exposed Teleofis RTU968 routers in Russia, Kazakhstan and Belarus, and 117 of them had the SSH service enabled.

[ Read: Hacktivist Attacks Show Ease of Hacking Industrial Control Systems ]

Researcher Joe Slowik has also analyzed GhostSec’s claims and found that the hackers’ ransomware apparently wasn’t even able to encrypt all files running on the device — in-use files were not encrypted, which limits the impact of the attack.

This is not the first time GhostSec claims to have hacked ICS devices. In September, they claimed to have hijacked programmable logic controllers (PLCs) and a human-machine interface (HMI) in Israel, but their claims again seemed overblown.

While GhostSec’s claims may not be entirely accurate, ransomware attacks can and have caused serious problems for industrial organizations and the industrial systems they are using, even if ICS is in many cases not directly targeted.

In addition, researchers have shown that threat actors could in fact launch ransomware attacks aimed directly at ICS devices. Red Balloon Security showed one year ago how malicious actors could implement ransomware on a protection relay.

On the other hand, this research and the recent incidents do not necessarily mean that ransomware attacks directly targeting ICS devices will become common and widespread in the near future.

“The requirements and implications of ‘true’ industrial ransomware at the RTU or PLC level make this a very unlikely domain for criminals to operate in,” Slowik said. “The payoffs appear too meager to justify both the technical investment and political risk associated with such an action, as outlined above. Instead, it simply makes greater sense economically for such entities to remain in the same space that they’ve resided in for some time: impacting IT and IT-like systems to elicit payment from organizations while attempting to avoid ‘worst case’ societal impacts that bring greater attention from governments and law enforcement.”

Related: BlackCat Ransomware Targets Industrial Companies

Related: Ransomware Gang Leaks Files Stolen From Industrial Giant Parker Hannifin

Related: Industrial Ransomware Attacks: New Groups Emerge, Manufacturing Pays Highest Ransom

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...

Cybercrime

The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.

Management & Strategy

Industry professionals comment on the recent disruption of the Hive ransomware operation and its hacking by law enforcement.

Ransomware

US government reminds the public that a reward of up to $10 million is offered for information on cybercriminals, including members of the Hive...

Ransomware

The Hive ransomware website has been seized as part of an operation that involved law enforcement in 10 countries.

ICS/OT

Otorio has released a free tool that organizations can use to detect and address issues related to DCOM authentication.

ICS/OT

Vulnerabilities in GE’s Proficy Historian product could be exploited for espionage and to cause damage and disruption in industrial environments.

Cybercrime

Cybercriminals earned significantly less from ransomware attacks in 2022 compared to 2021 as victims are increasingly refusing to pay ransom demands.