- The attackers deployed Kali Linux which enables modules to attack operational technology platforms.
- In September, the hackers compromised 55 Berghof and Programmable Logic Controllers used by Israeli organisations as part of a Free Palestine campaign.
- Another hacktivist group Anonymous OpIran threatened it would target any company that has dealings with the Iranian government.
- Industrial firms urged to be especially vigilant at times of heightened socioeconomic tensions as the threats of unpreparedness expose these firms to more risk.
A highly organised hacktivist group associated with the international network hacktivists Anonymous – GhostSec -targeted Industrial Control Systems (ICS) in Iran last week following the tragic death of 22-year-old Mahsa Amini by police for wearing her hijab too loosely.
An unprecedented wave of protests against mandatory hijab laws and other social and economic grievances has resulted in amplified cyberattacks by hacktivist groups in support of the protestors, which included a breach of the country’s state-run TV and a leak of contacts and emails of government authorities.
Michael Amiri, Senior Analyst in the Cyber & Digital Security practice at ABI Research, said that the recent attack by GhostSec was aimed at ICS assets through controlling supervisory control and data acquisition modules using the Metasploit framework.
“The attackers deployed Kali Linux that enables modules to attack operational technology platforms. The group’s Twitter account confirmed that it had orchestrated a Modbus attack impacting MOXA and Programmable Logic Controllers (PLCs), destroying a host of them,” he said.
Companies affected
Some of the companies affected are Mobinnet, ITC, Asiatech, Khalij-Fars-Online, Fanap Telecom, and Sabanet. While the companies are allegedly from the private sector, many have close ties with the government and security forces.
On September, 4th, 2022, the Pro-Palestinian Hacking Group announced on social media and its Telegram channel that it has compromised 55 Berghof PLCs used by Israeli organisations as part of a Free Palestine campaign.
Back in June, Amiri said that three Iranian steel companies were attacked by the hacktivist group “Gonjeshke Darande,” leading to footage of fires, damaged equipment, and halted operations at the Khuzestan Steel Company.
Another hacktivist group Anonymous OpIran threatened it would target any company that has dealings with the Iranian government.
Spike in hacktivist attacks
“Major ongoing geopolitical incidents around the world—including Russia’s war in Ukraine, increasing protest movements in Iran, and an acceleration in environmental activism—will lead to a spike in hacktivist attacks,” Amiri said.
Moreover, he said that many of these groups are highly motivated entities whose successful campaigns could be imitated by bad actors seeking financial gains from similar attacks.
Since OT systems control physical functions, he said that malicious actors can weaponise them to harm or even kill humans.
“The cost of such attacks is immense and could result in irreparable brand damage. While ransomware attacks are for monetary gain, and while the parties involved might decide to resolve matters discreetly, hacktivists will be sure to reveal and amplify the damages, leading to reputational risks for firms,” Amiri said.
As the GhostSec attack demonstrates, PLCs, human-machine interfaces, and other ICS equipment are receiving increased attention both from cyber attackers and security vendors.
Lack of ICS cybersecurity
According to ABI research, industrial cyberattacks represented 23.2 per cent of such incidents in 2021, the highest of any category, including finance and forecasts that ICS cybersecurity revenue will show a 23 per cent total increase in the 2019–2024 period, revealing the increasing importance of threats to ICS operators and underlying the demand to mitigate damages.
“While the attack was targeted at companies that are close to a government with a proven track record in malicious cyberactivity, it is another sign that ICS cybersecurity is severely lacking,” Amiri said.
Most of the current ICS technology, he said was designed 20 years ago when cybersecurity tools were not inserted in systems, making them prone to threats.
“Industrial firms should be especially vigilant at times of heightened socioeconomic tensions as the threats of unpreparedness expose these firms to more risk. Companies with government contracts or those deemed as contributing to grievances are prime targets,” he said.
The cyber breach also indicates that the advent of the industrial Internet of things could cause major issues for current and future infrastructure investments.
Amiri urged companies with direct Internet access to their OT equipment should be especially vigilant and take appropriate measures.
“This includes changing and strengthening default system passwords, taking advantage of multifactor authentication for external facing systems, and keeping ICS firmware up to date,” he said.
Related posts:
- Emotet is back with a massive uptick in the first half of this year
- To secure cloud workloads adequately, do we need an “agent or agentless” tooling stack
- The need for predictive tools to combat complex security threats is greater than ever
- More work needs to be done by cybersecurity industry to catch up with the bad guys: Forescout CEO