Cyber Incident Victim: GhostSec
Date:
Sep 2022
Location:
Israel
Summary
A pro-Palestine hacktivist group named GhostSec targeted Israeli industrial control systems, compromising internet-exposed Berghof programmable logic controllers (PLCs) and later a hotel pool's water management system. The attackers accessed administrative panels via default credentials and Shodan searches, demonstrating ability to stop a PLC and alter water safety parameters like pH and chlorine levels, though analysis revealed limited direct control over industrial processes. While the pool system manipulation posed potential health risks, the incidents primarily highlighted vulnerabilities in poorly secured operational technology. Security researchers noted such compromises exploit misconfigured devices to generate public fear despite often causing minimal operational disruption, underscoring broader risks of internet-connected ICS devices being leveraged for hacktivist messaging.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 3 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
In early September 2022, the pro-Palestine hacktivist group GhostSec claimed responsibility for compromising 55 Berghof programmable logic controllers (PLCs) located in Israel. The group published a video demonstrating access to the PLC administration panels and associated human-machine interface (HMI) systems, along with a screenshot showing one PLC in a stopped state. Industrial cybersecurity firm Otorio investigated these claims and confirmed that the PLCs were internet-exposed and discoverable through the Shodan search engine, with many accessible via default or weak credentials. While the compromised admin interface provided certain control functions, Otorio determined it did not enable direct manipulation of industrial processes, limiting potential physical disruption. Approximately one week later, GhostSec claimed a second attack on Israeli industrial control systems, asserting they could manipulate water safety parameters. Otorio's subsequent analysis revealed the targeted system was not part of a municipal water supply but instead controlled pH and chlorine levels for a hotel swimming pool. The hackers had misinterpreted the system's purpose, likely believing it managed drinking water infrastructure.
The attacks demonstrated limited technical understanding of operational technology (OT) systems but highlighted risks posed by poorly secured internet-exposed devices. In the pool control system case, Otorio confirmed attackers could both monitor and alter chemical parameters, creating potential health hazards for pool users. Security researchers noted GhostSec's pattern of targeting easily accessible devices through Shodan queries rather than strategically critical infrastructure. While the incidents caused no verifiable operational disruptions to industrial processes or water supplies, they generated media attention and public concern. Otorio's forensic analysis played a key role in contextualizing both events, clarifying the actual systems affected and the attackers' technical limitations. The group's claims exaggerated the scale and consequences of their intrusions, though the incidents underscored broader vulnerabilities in industrial control system security postures across exposed devices.