Exposed OT devices being targeted alongside GhostSec selling zero-day exploit
When law enforcement agencies apprehend a prominent hacker or hacktivist, it often serves as a rallying point for other hacktivists to react.
Similarly, this arrest galvanized and inspired hacktivist groups like SiegedSec and GhostSec to launch immediate attacks on Colombian State authorities. Generally, such attacks may be restricted to DDoS attacks on websites. However, in this case, the Critical Infrastructure of the Colombian government was targeted, and a huge quantum of data was also leaked.
This particular incident demonstrates the interconnected nature of hacktivist activities, where actions against one individual can inadvertently fuel the determination and momentum of others within the community and put the governance of a country in dire straits.
Attack Timeline of OpColombia
Given below is the timeline of events in retaliation to the arrests by the hacktivist group SiegedSec.
After the arrest on May 19, 2023, the SiegedSec hacktivist group immediately diverted their activities against various state agencies and internet-exposed ICS assets in the Colombian region.
Given below is a screenshot of the claims made by the Hacktivist group.
As stated in the claim, the “Leader of SiegedSec used to work with Org0n”, and in the aftermath of the arrest, nearly 30 Radio broadcasts and government-affiliated Satellite Receivers were targeted by SiegedSec.
A few months ago, the hacktivist group GhostSec also targeted Satellite Receivers. Cyble Research & Intelligence Labs described the criticality of that incident – “GhostSec Targeting Satellite Receivers“. We further forewarned about the associated risks of multiple GNSS receivers exposed over the internet and the availability of their exploits in the public domain.
Subsequently, on May 26, 2023, SiegedSec claimed to have infiltrated the networks of the Colombian government and leaked 6 GB of their data.
As per the claim (Figure – 5), the leak contains: –
- Backend Files
- Confidential Documents
- Identification Cards etc.
On May 28, 2023, SiegedSec, while announcing the conclusion of the OpColombia campaign, claimed responsibility for attacks on Power Supply Controllers and Fueling Systems in Colombia.
The attack was launched in collaboration with GhostSec (Figure 6).
Internet Exposure of ICS/OT assets in Colombia
After this incident, CRIL investigated the exposures of critical infrastructural assets in Colombia and identified over 900 Radio Broadcasting devices, 15 Global Navigation Satellite Systems (GNSS), and 13 Fueling Systems.
Hacktivist GhostSec Exploiting Zero-day Vulnerabilities for Profit
In an unrelated yet noteworthy incident, the hacktivist group GhostSec, on May 27, 2023, was selling a zero-day that they allegedly used to target Berghof Controllers in Israel last year for USD 5,750.
As per the claim made by the group (Figure 8), the exploit can provide the attacker full access to the Berghof Web Panel, and then the attacker can escalate the privileges to the Human Machine Interface (HMI).
An online scanner indicates that there are over 240 internet-exposed Berghof controllers globally.
The figure below shows the exposure of assets in the Top 5 countries.
In today’s interconnected world, internet-exposed Industrial Control Systems (ICS) and Operational Technology (OT) devices have become prime targets for cybercriminals, and organizations must gain better transparency into these assets. Since hacktivists have also started leveraging the vulnerabilities and misconfigurations of ICS devices to disrupt critical infrastructure and gain attention, it’s imperative to give due diligence to the security of these critical assets.
The risks to these assets can affect the populace as they control and monitor essential operations such as power grids, water systems, and manufacturing processes. Hacktivists can cause widespread chaos and economic damage by infiltrating and manipulating these systems as we observed in this analysis on Colombia.
- Implement proper network segmentation to prevent attackers from performing lateral movement and minimize exposure of critical assets over the internet.
- Keeping software, firmware, and applications updated with the recent patches and mitigations released by the official vendor is necessary to prevent attackers from exploiting vulnerabilities.
- Keep critical assets behind properly configured and updated firewalls.
- Organizations should follow a strong password policy at all times.
- Cyber security awareness training programs for employees within the organization.
- Regular Audits, Vulnerability, and Pentesting exercises are key in finding security loopholes that attackers may exploit.
All the findings stated in this document have been verified and reviewed via our Enterprise platform, Cyble Vision and HUMINT. These data points and observations are valid and accurate for the period discussed in the report and publication time. Cyble is not liable for any action(s) taken based on these findings and any ensuing consequences.
This document is created to share our findings and research with the broader cybersecurity community from an academic and knowledge-sharing standpoint. It is in no way an endorsement of the activities described in the report.
It is an amalgamation of our collective research on this subject and is not a direct promotion of our brand, platform, or services. This report can be shared freely for academic or knowledge-sharing purposes, provided that Cyble is mentioned as the source of your findings.