Hacktivists groups actively target Industrial Control System (ICS) devices
Hacktivist group Anonymous recently announced the return of its anti-Israel campaign, “OpIsrael”, to mark the 10th Anniversary of the campaign. The group has been known to launch attacks against Israeli websites, including government, military, and financial institutions, as a form of protest against Israel’s policies towards Palestine. This year’s campaign coincides with the Palestinian elections and comes amid escalating tensions between Israel and Palestine.
The Al-Aqsa Mosque incident has recently sparked a surge of hacktivists targeting Israel in the #OpIsrael campaign. The incident involved Israeli police storming the mosque and using non-lethal weaponry such as tear gas and rubber bullets on Palestinian worshippers. This led to protests and clashes between Palestinians and Israeli forces. In response, hacktivist groups such as Anonymous Sudan launched a large-scale cyber-attack on Israel’s Postal, Agriculture, Telecom, and Banking websites, causing a temporary shutdown.
In the previous #OpIsrael campaign, hacktivists mainly targeted websites of state and private entities in Israel. The attacks included website defacement, Distributed Denial-of-Service (DDoS) attacks, and stealing data through SQL injections. However, hacktivist groups are actively targeting internet-exposed Industrial Control Systems (ICS) devices this year. ICS devices are used to control Critical Infrastructure sectors such as Power Grids, Water Treatment plants, and Transportation systems, among others. These devices are often connected to the internet, making them vulnerable to attacks.
Researchers at Cyble observed that hacktivists are actively targeting assets and organizations that rely heavily on the operation of pumps, valves, motors, and other ICS components. Any disruption or damage to these components could have serious consequences for both the organization and the general public.
Cyble is actively tracking the ongoing attacks that have been launched in response to #OpIsrael. Researchers have observed a hike in DDoS attacks, database dumps, GNSS attacks, and attacks on ICS deployed in facilities with Water & Other liquids as their major part of operations.
Attacks on Internet-Exposed Human Machine Interface
On 9th April 2023, A cyber-attack knocked down ten water controls in agricultural districts of Israel, temporarily halting irrigation systems on targeted farms. As per public reports:
“You have been hacked, Down with Israel,” read a message on the controllers, along with an image of a Star of David sinking into the water.
“Currently, reports have been received indicating disruptions in irrigation control on the farms of about 10 farmers in the northern region,” the Israel National Cyber Directorate and the Ministry of Agriculture said in a statement.
Ofer Barnea, CEO of the Upper Galilee Agriculture Company, told Israel Hayom: “Two days ago we received a message that there would be a cyberattack. The farmers were instructed to disconnect the controllers for remote communication. This morning whoever did not disconnect them reported that the controllers had been disabled
One of the tweets indicates that Human-Machine Interface (HMI) systems at the site might have been non-operational due to the cyberattack. As per the image shared via tweet (Figure -1), it is quite evident that Unitronics V57O was targeted by TAs.
Exposure to Unitronics Web Server and PCOM
Researchers at Cyble noticed that the alleged target asset has exposure over the internet. Using an online scanner, it was found that there are over 1600+ Unitronics Web Servers and PCOM devices were exposed over the Internet.
The figure below shows the geographical distribution of Unitronics PLCs.
The majority of the exposures were observed in the United States, Australia & Italy. In the Israel region, there are around 58 internet-exposed Unitronics PCOM devices.
PCOM is a proprietary protocol by Unitronics for remote management of the PLC (TCP port 20256). PCOM protocol does not provide encryption or authentication mechanisms, making it vulnerable to interception and eavesdropping. Additionally, because no authentication mechanism is provided, unauthorized parties can access and manipulate the data being transmitted over the protocol.
Direct TCP connections can be used to query process-related values but also operands to access values that are related to the process under control, but also to change configuration parameters (such as the network settings, in SI[101-148] or the info mode password, in SI) or even to disrupt the PLC operation, by setting system registers (e.g., SB) which can be used to block the communications between legitimate nodes and the PLC.
The Internet Exposure of Unitronics PCOM and availability of Metasploit script provides ample arsenal for exploiting PCOM devices. In one such incident, Researchers at Cyble came across an internet-exposed Unitronics PLC instance. As per the “PLC name visible” (Figure 3), it appears that an unauthorized person might have gained access to the PLC.
Unitronics Web Server is a software component that allows remote access and monitoring of Unitronics PLCs through a web interface. It provides real-time data monitoring, alarms and events, control and modification of system settings, and user management capabilities.
CRIL researchers started looking into the internet exposure of Unitronics Web Server and found over 350 exposed instances. The below graph shows countries with the highest exposure to the Unitronics Web Server.
During the course of our investigation, we observed that there are a few Unitronics Web Servers that lack authentication.
Below, we have included a few screenshots of these internet-exposed instances.
Attacks on ICS devices via VNC
14th April 2023, CRIL researchers observed that in one of the claims (Figure 6 ) by “Dragon Force Malaysia”, a pro-Palestinian hacktivist group in Malaysia. In the screenshot shared by the hacktivist group, two things stand out:-
1. TightVNC: Unitronics
2. List of IPs
Observing these two indicators, researchers believe that Internet-Exposed VNCs were targeted by hacktivists. VNC can be used to remotely access and control Unitronics devices, such as PLCs and HMIs, to monitor and adjust their operation. Unitronics offers several software tools that can be used in conjunction with VNC for remote access and control of their devices.
It was observed that there are around 384 VNCs exposed over the Israel Region (Figure7), out of which 97 instances have “authentication disabled”, potentially exposing them to cyberattacks.
The previous year, Cyble released an in-depth analysis of how “Exposed VNC a major threat to Critical Infrastructure Sectors”, which provides more insights into these attacks.
Attacks on Water & Chemical Controllers
On 14th April 2023, “Electronic Tiger Unit” posted a screenshot showing access to Water Treatment SCADA (Figure 8) on their Telegram channel. The screenshots shared by the hacktivists visible access to “Aegis -II”.
Aegis – II is a product of ProMinent, a German-based company specializing in water treatment solutions. Aegis-II is a controller that records all the necessary measuring parameters for cooling water treatment and controls the functions necessary for smooth operation. It provides reliable control and offers the most flexible communication options to optimize efficiency and profitability for all cooling, boiler, and other water treatment applications.
To understand the attack surface, Researchers at Cyble investigated the exposure of these controllers. It was found that over 70 Prominent Controllers were exposed over the internet, with the majority of instances in Australia, Croatia, Czech Republic. At first, the exposure might seem less, but one should understand that these exposures are based on a single entity. Hence the count of internet-facing “Water & Chemical controllers” might be substantial.
The impact of gaining Unauthorized access to Industrial Control Systems devices
Threat actor gains access to HMI systems involved in irrigation farms. They could potentially manipulate the irrigation process, leading to over or under-watering of crops. This could cause significant damage to the crops, affecting their yield and quality. The damage could be irreparable in some cases, leading to financial losses for the farmers.
Additionally, if the threat actor gains access to the control systems of the irrigation pumps, they could cause them to malfunction, leading to flooding or droughts in the fields. This could result in soil erosion, nutrient depletion, and damage to irrigation and agricultural infrastructure.
Threat actor gains access to ICS devices via VNC (Virtual Network Computing), and they could potentially gain control over the industrial process, leading to significant disruptions. They could manipulate the process parameters, leading to sub-optimal production or even product quality issues.
The disruptions could sometimes lead to equipment failure, downtime, and financial losses. Additionally, the threat actor could exfiltrate sensitive data from the ICS devices, such as production schedules, product designs, and customer data, compromising the organization’s competitive advantage.
Threat actor gains access to water and chemical controllers used in boiler rooms and other critical infrastructure sectors. They could potentially manipulate important parameters such as the chemicals’ pH level, flow rate, and dosing rate. The threat actor could also cause significant disruptions to the production process by manipulating the chemicals used in the water treatment process, leading to corrosion of the pipes and boilers. This could result in equipment failure and legal liabilities for the organization.
The recent #OpIsrael campaign has brought attention to the attacks on internet-exposed ICS devices, which are critical in nature that are used in various Critical Infrastructure sectors. However, it is important to note that the full impact of attacks on these devices cannot be completely comprehended until the victim organizations provide more context on what went wrong.
The majority of organizations dealing in the CI sector have safety redundancies and other controls in place to minimize the impact of such attacks. However, if proper safety and security procedures are not in place, mass attacks on these ICS devices may lead to catastrophic events.
Researchers at Cyble believe the ICS attacks launched in the #OpIsrael campaign are majorly due to the use of default credentials and the organizations’ exposure of critical assets over the internet. Frequent hacktivist activity targeting OT increases the risk of significant OT incidents.
Performing an in-depth analysis & reconnaissance of the target organization, hackers might gain insights into their ICS devices that can be compromised remotely either by exploiting vulnerabilities or by exploiting default factory settings that have not been changed during the installation phase.
- Follow Established Security Principles: Best practices and established security principles should be followed when designing and implementing devices. This includes conducting regular security assessments, threat modeling, and risk analysis to identify potential vulnerabilities and weaknesses.
- Securely Store Credentials and Secrets: User credentials and other sensitive information should be securely stored and encrypted to prevent unauthorized access. This includes using secure authentication protocols, such as multi-factor authentication, and implementing access control policies to limit access to sensitive data.
- Validate Input and Output Data: Input and output data should be checked to ensure that it is valid and contains no malicious code or commands. This can be done through input validation, output encoding, and secure data transfer protocols such as HTTPS.
- Ensure Software Integrity: Software should be checked for integrity to prevent tampering or malware installation. This can be done through code signing, checksum verification, and secure software delivery mechanisms.
- Ensure Hardware Integrity: Hardware should be checked for integrity to prevent physical tampering or modifications. This can be done through hardware security mechanisms, such as secure boot and trusted platform modules.
- Communicate Securely: All communication between devices should be encrypted to prevent interception or eavesdropping. This includes using secure communication protocols, such as TLS, and implementing secure network segmentation to limit access to sensitive devices.
- Implement Software/Firmware Updates: Software and firmware updates should be regularly installed to fix any security vulnerabilities that are discovered. This includes implementing automatic update mechanisms and ensuring that updates are signed and verified.
- No Default Passwords: Devices should not have any default passwords that can be easily guessed or exploited. Instead, users should be required to set unique passwords when setting up the device. Passwords should also be complex and difficult to guess.
- Minimize Exposure of Attack Surfaces: Devices should be configured to minimize their exposure to potential attacks by limiting access and only allowing necessary services to run. This includes disabling unnecessary features and services, implementing firewalls, and using intrusion detection systems.
- Make Security Easy to Use: Security should be designed to be easy to use and not overly complicated so that users are more likely to use and follow good security practices. This includes providing clear instructions and guidance, as well as designing user interfaces that are intuitive and user-friendly.
Exposed Instances do not indicate vulnerable products
All the findings stated in this document have been verified and reviewed via our Enterprise platform, Cyble Vision and HUMINT. These data points and observations are valid and accurate for the period discussed in the report and publication time. Cyble is not liable for any action(s) taken based on these findings and any ensuing consequences.
This document is created to share our findings and research with the broader cybersecurity community from an academic and knowledge-sharing standpoint. It is in no way an endorsement of the activities described in the report.
It is an amalgamation of our collective research on this subject and is not a direct promotion of our brand, platform, or services. This report can be shared freely for academic or knowledge-sharing purposes, provided that Cyble is mentioned as the source of your findings.