Cyber Incident Victim: Israeli ICS
Date:
Sep 2022
Location:
Israel
Summary
A pro-Palestine hacktivist group named GhostSec targeted Israeli industrial control systems, compromising internet-exposed programmable logic controllers (PLCs) and a human-machine interface (HMI) associated with a hotel pool, falsely claiming control over water safety parameters. The attackers exploited default credentials and Shodan-accessible devices, demonstrating administrative access and halting a PLC, though analysis confirmed limited direct operational impact due to restricted process configuration controls. While the compromised pool system allowed parameter modification posing potential health risks, the incidents highlighted vulnerabilities in unprotected ICS devices and hacktivists' ability to leverage perceived critical infrastructure threats for psychological effect, despite their limited technical understanding of operational technology. Security researchers noted the group's focus on publicity over substantive disruption, emphasizing the ease of accessing poorly secured industrial systems.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
In early September 2022, the pro-Palestine hacktivist group GhostSec claimed responsibility for compromising 55 Berghof programmable logic controllers (PLCs) located in Israel. The group published a video demonstrating access to the PLC administration panels and associated human-machine interface (HMI) systems, along with a screenshot showing one PLC in a stopped state. Industrial cybersecurity firm Otorio investigated these claims and identified that the targeted PLCs were exposed to the internet and discoverable through the Shodan search engine. Many devices were accessible using default or common credentials, though researchers determined the admin interface provided limited control over industrial processes. While attackers could influence certain functions, direct manipulation of process configurations wasn't possible through this interface alone. Approximately one week later, GhostSec claimed a second attack involving Israeli industrial control systems, asserting they could manipulate water safety parameters.
Otorio's analysis of the second incident revealed the compromised system controlled pH and chlorine levels for a hotel swimming pool rather than drinking water infrastructure. The attackers likely misinterpreted the system's purpose but had both monitoring and modification capabilities over pool chemistry parameters, creating potential health risks for users. No operational disruptions or physical damage were confirmed in either incident. Security researchers noted the attackers exploited internet-exposed devices with weak authentication but lacked specialized knowledge of operational technology systems. Historical context referenced a 2020 incident where Iranian actors targeted Israeli water facilities, though no direct connection to GhostSec's activities was established. The incidents highlighted vulnerabilities stemming from unprotected ICS devices accessible via public networks and basic exploitation techniques.