Cyber Incident Victim: Israeli Government
Date:
Sep 2022
Location:
Israel
Summary
The hacktivist group GhostSec compromised Israeli industrial control systems, including a ProMinent Aegis II water controller regulating swimming pool pH/chlorine levels and 55 Berghof PLCs. Both breaches exploited default credentials and internet-exposed administrative interfaces, enabling unauthorized access to system controls. While GhostSec demonstrated the ability to manipulate water parameters and halt PLC processes, their actions appeared limited to proof-of-concept disruptions rather than causing critical operational damage. The group claimed intent to avoid targeting drinking water infrastructure. Investigations revealed the affected systems were publicly accessible with unchanged factory passwords, highlighting vulnerabilities in OT security configurations. No evidence suggested GhostSec accessed deeper process controls or possessed advanced operational technology capabilities beyond basic interface manipulation.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On September 4, 2022, the hacktivist group GhostSec announced via social media and Telegram that it had compromised 55 Berghof programmable logic controllers (PLCs) in Israel. The group shared a video demonstrating successful login to an admin panel, along with human-machine interface (HMI) screenshots showing PLC status and process control. One image indicated a PLC had been stopped. OTORIO's investigation revealed the affected PLCs were publicly exposed to the internet with IP addresses visible in system dumps GhostSec released. Researchers confirmed the devices remained accessible during their analysis and found the admin panels vulnerable to basic credential attacks using default or common passwords. While the admin access allowed certain functional controls, direct manipulation of industrial processes required deeper system interaction. GhostSec did not provide evidence of accessing the CODESYS-based HMI interface or exploiting the Modbus industrial protocol, suggesting limited operational technology (OT) capabilities. The compromised systems' exposure stemmed from internet-accessible configurations and unchanged default credentials.
A second incident occurred on September 10, 2022, when GhostSec claimed access to an Aegis II controller manufactured by ProMinent, affecting water pH and chlorine regulation systems in Israel. Published screenshots indicated control over chemical parameters, though the system appeared to manage non-drinking water applications like hotel swimming pools. OTORIO identified the breached device by correlating GhostSec's images with exposed Aegis II controllers in Israel, finding it used default credentials from the vendor manual. The IP address range matched previously compromised Berghof PLCs, suggesting GhostSec scanned adjacent networks for targets. OTORIO notified Israel's Cyber Emergency Response Team (CERT), leading to the controller's removal from public access. GhostSec asserted it could have caused greater harm but pledged not to target Israel's water supply. Both breaches highlighted systemic vulnerabilities: internet-exposed industrial control systems with unchanged default passwords enabled unauthorized access. No critical physical damage occurred, though the incidents demonstrated potential risks to industrial processes from basic security oversights.