The US cybersecurity agency CISA on Wednesday reiterated a warning that unsophisticated methods can be used to hack industrial control systems (ICS) and other operational technology (OT). Even so, some threat actors appear to be making exaggerated claims when it comes to attacks on such systems.
A pro-Israel hacktivist group known as Red Evil and We Red Evils — known to target Hamas, Lebanon and Iran — this week claimed to have compromised water systems used by Hezbollah, the Lebanese political party and paramilitary group that has been designated as a terrorist organization.
Specifically, the hackers claimed they had received intelligence on the water systems used by Hezbollah for its underground bases in Lebanon. The threat actor claimed to have taken control of supervisory control and data acquisition (SCADA) software associated with 14 water facilities in southern Lebanon and Beirut, and managed to change chlorine levels, suggesting that the goal was to cause harm to Hezbollah members.
The claims come less than two weeks after pagers and other communication devices used by Hezbollah members exploded in what is believed to be an Israeli operation targeting the group.
It’s not uncommon for hacktivists to claim that they have or could have caused significant damage after taking control of ICS. Human-machine interfaces (HMIs) and programmable logic controller (PLC) administration interfaces are often left exposed to the internet and are either completely unprotected or accessible with easy-to-guess default passwords.
While in many cases hackers do in fact gain access to these types of ICS panels, it’s not uncommon for them to exaggerate the potential impact of their attacks. This may the case with the recent Red Evil attacks as well.
Michael Langer, chief product officer at Israeli ICS security company Radiflow, told SecurityWeek that the screenshots posted by the hackers in an attempt to demonstrate their claims don’t provide actual proof.
Langer noted that it’s indeed possible to easily access internet-exposed HMIs and pointed out that Lebanon is not a country that puts a lot of emphasis on securing its OT systems. Nevertheless, the HMIs targeted by the hackers could be located anywhere in the world — there is no indication that they are associated with systems in Lebanon. In addition, even if they did hack water systems in the country, changing chlorine levels is in many cases not easy.
“There should be additional physical safety systems as part of standard water station implementation [that should prevent chlorine level changes],” Langer told SecurityWeek.
Instead of a significant ICS hacking operation, this is more likely an influence/misinformation operation conducted by Red Evil, the expert believes.
The news came amid reports that Israel may have hacked Lebanon’s telecoms networks to warn civilians via text messages and calls about upcoming attacks targeting Hezbollah buildings in their villages and neighborhoods.
News of the Red Evil operation coincided with CISA warning that threat actors continue to exploit ICS/OT systems through unsophisticated means, including in the water sector. The agency has urged organizations to review guidance developed following a series of attacks launched in recent years by pro-Russia hacktivists.
However, CISA’s fresh warning is likely not in response to the alleged Lebanon ICS hacks, but in response to an attack targeting a water treatment facility in Arkansas City, Kansas, which was forced to switch to manual operations.
CISA’s alert suggests that the attackers may have targeted — or at least indirectly impacted — industrial control systems. However, Arkansas City officials stated that the water supply was not affected and there were no disruptions to service.
Learn More at SecurityWeek’s ICS Cybersecurity Conference
The leading global conference series for Operations, Control Systems and OT/IT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity.
October 21-24, 2024 | Atlanta
www.icscybersecurityconference.com
Related: Researcher Says Healthcare Facility’s Doors Hackable for Over a Year
Related: Automatic Tank Gauges Used in Critical Infrastructure Plagued by Critical Vulnerabilities
Related: Unpatched Vulnerabilities Expose Riello UPSs to Hacking: Security Firm