Menu
Browse

Cyber Threat Actor: GhostSec

Actor Type Location Known Incidents
 Icon
Activist
20 incidents
Profile

GhostSec, also known as Ghost Sec, operates as a hacktivist collective with shifting affiliations and causes. Publicly reported incidents from 2022 to 2023 demonstrate consistent targeting of government entities, industrial control systems (ICS), and public sector organizations across Mexico, Brazil, Spain, Belarus, and Israel. Their objectives center on disruption and public exposure of perceived security failures or institutional negligence, often accompanied by ideological messaging. Operations include data theft, unauthorized access to critical infrastructure, and public leaks of sensitive information without financial ransom demands. The group has aligned with causes such as #OpIran and pro-Palestinian initiatives, while historical ties to Anonymous appear fluid—sometimes claiming affiliation and other times distinguishing their activities.

Notable tactics include exploiting unsecured internet-exposed ICS devices with default credentials, SQL injection attacks against web applications, and leveraging optical character recognition to extract text from compromised documents. GhostSec frequently uses Telegram for communications and data sales, as observed in the Granada Council breach where a 7 GB database was listed for sale. Their ICS-focused campaigns—such as manipulating water safety parameters in Israeli hotel pools and halting Berghof programmable logic controllers—exploited misconfigured operational technology to generate psychological impact rather than verified operational disruption. Key incidents include the 2023 leak of 7,910 criminal complaints from Mexico’s Quintana Roo Attorney General’s Office, which revealed unresolved cases of human trafficking and corruption, and the breach of Brazil’s gov.br webmail system exposing medical and identification records. Security researchers have noted inconsistencies in some claims, such as their disputed ransomware attack on a Belarusian fertilizer plant, highlighting a pattern of publicity-seeking behavior over technical sophistication.

Incidents
Attributed incidents available to members
20 incidents
Sources
Sources available to members
6 sources