Join our webinar, August 17th, Danger in Plain Sight!

Research

GhostSec Raising the Bar

Introduction

In June 2022, Cyberint observed a new hacktivist campaign targeting multiple Israeli organizations and enterprises coordinated via different social media platforms. The campaign is led by hacktivists originating in a group called GhostSec.

GhostSec was first identified in 2015 and was initially founded to attack ISIS in the cyber realm as part of the fight against Islamic extremism. In past years, the group participated in several campaigns against several counties including Nigeria, Colombia, Lebanon and South Africa. From the start of the Russian-Ukrainian war, the group sided with Ukraine and published mainly Russian-related leaks, DDOS, and content under the campaign #OpRussia.

At the end of June 2022, the group declared it was joining the #OpIsrael campaign. Immediately after their announcement, the group pivoted from their regular operations and started to target multiple Israeli companies, presumably gaining access to various IoT interfaces and ICS/SCADA systems, which led to possible disruptions.

The group is well aware of the public relations and news activities related to their operations, responding on social media platforms about what they are up to. Group members are mainly active on Telegram and Twitter, the platforms primarily used to share their target lists and attack results.

The official GhostSec Twitter account
Figure 1: The official GhostSec Twitter account

OVERVIEW

GhostSec, a vigilante group managed and operated by hacktivists, was originally founded prior to 2014 and was initially called ‘We Are The Resistance’.

GhostSec announcement about their previous name

Acting as ‘We Are The Resistance’, the group didn’t participate in glorious attacks and campaigns, instead mainly trained enthusiastic beginner-level cyber candidates (a.k.a script kiddies), including publishing various cyber-quizzes.

'We Are The Resistance' cyber challenge
Figure 3: 'We Are The Resistance' cyber challenge

In 2015, the group’s activity increased and they rebranded themselves as GhostSec joining the fight against ISIS and Islamic extremism. Throughout 2015, the group was associated with taking down hundreds of ISIS websites and social media accounts while gaining the cooperation of law enforcement. By the end of 2015, GhostSec decided to transform its fight against ISIS officials, stopped cooperating with the Anonymous hacktivist group, and renamed itself Ghost security Group[1].

Ghost Security Group official Twitter

The members who opposed this process continued operating under the name GhostSec and currently seem to target Israeli and American companies.

Social Media Presence

The GhostSec hacktivist group is active on multiple social media platforms:

The group maintains a Telegram account with currently more than 8K followers. The account is mainly used for publications and announcements rather than as a sharing tools or instructions. Their Telegram group has been active since November 2020 and was involved in several campaigns including #OpNigeria #OpColombia and #OpRussia.

 

 

Additionally, Cyberint was able to trace several social media accounts of GhostSec members:

Nickname Account Type Created Date Following Followers Associated accounts
Sebastian Delax – Co-founder Twitter November 2015 226 2,346 https://twitter.com/SebastianDant19

 

May 2021 11 15 https://twitter.com/SebastianDant19
GitHub November 2015 6 66  

https://github.com/ghostsec420

Ghost3301 – Cofounder Twitter October 2021 8 2,865 https://twitter.com/_gHOST3301_
WonderGhost Twitter February 2021 225 3,288 https://twitter.com/wond3rghost
GitHub 17 15 https://github.com/NeverWonderLand

 

YouTube 65 https://www.youtube.com/channel/UCl4Sz1xqBV0ZAKze7WfsvYQ

 

Younes Twitter June 2020 459 30.3K https://twitter.com/younesanonymous

 

Niko

(possibly Nicola Ivikov)

GitHub 15 45 https://github.com/FueledAmp

 

SoloMsc GitHub 17 45 https://github.com/SoloMsc

 

Userware GitHub 10 12 https://github.com/U53RW4R3

 

 

Attacks Timeline, Tools and Procedures

Main GhostSec Cyber Attacks Against Israeli Targets

Going back to 2018, Cyberint detected that the group was targeting the Israeli Airforce website. GhostSec took responsibility for the website’s takedown on their Twitter account.

GhostSec’s announcement of the defacement of the Israeli Airforce website
Figure 5: GhostSec’s announcement of the defacement of the Israeli Airforce website

An additional attack on an Israeli target was published in 2021, when the group attacked H.R.V.A.C., an Israeli engineering company involved in the Ben Gurion Airport Energy Center project. According to GhostSec, the website was taken down, and the data was dumped. Later, in 2021, the group shared a thin 10MB file presumably containing internal data from the H.R.V.A.C website.

The subsequent activity against Israeli targets began on June 28, 2022, followed by an announcement that the group had officially joined the ‘OpIsrael’ campaign due to continuous Israeli attacks against Palestinians.

Figure 6: The group’s official announcement about joining the OpIsrael Campaign
Figure 6: The group’s official announcement about joining the OpIsrael Campaign

Less than an hour later, an IoT attack began. The group uploaded a video to their Telegram channel that showed that an air conditioning interface belonging to bezeqint.net, a major ISP in Israel, was hacked.

Figure 7: Part of the video that showing the attack against Bezeqint

On June 29, the group shared additional video evidence of the exposed interface of ELNet, an energy meter and electrical power meter at MATAM (acronym for the Scientific Industries Center) being accessed by the group. According to the group, they gained access to five similar IoT devices in different locations and modified the settings to switch the lights off in all five of them.

Part of the video that demonstrates the attack on MATAM
Figure 8: Part of the video that demonstrates the attack on MATAM

Another IoT device was added to the victim’s list: The group accessed the Partner.co.il interface of an IoT-based smart sprinkling system. However, there was no evidence of a disruption of the systems’ workflow.

On July 6, the group shared screenshots of EEM devices, measuring electrical parameters in low-voltage. In addition, the group also shared Or Akiva’s pump station IoT interface, whose activities the group claims to have disrupted.

The EEM device rewired by the group
Figure 9: The EEM device rewired by the group

After deploying IoT attacks on multiple Israeli Organizations, the group shifted into the SCADA/ICS domain, attacking  Israeli PLCs (Programmable Logic Controller) using the Metasploit framework module “auxiliary/admin/scada/multi_cip_command”. This vulnerability was first disclosed in 2012, and continues to be modified (2020). The exploit implements the CPU STOP command, as well as the ability to crash the Ethernet card in an affected device.

To date, around 5000 PLCs worldwide are exposed via port 44818, and might be affected by this kind of attack.

Attack carried out by the group
Figure 10: Attack carried out by the group

GhostSec GitHub and Conti Affiliate Leak

The group members maintain several GitHub accounts. These accounts contain tools that group members use. The main repository used by the group, ghostsec420, includes seven repositories, some of which include campaign output such as the NigeriaLeaks, vulnerability scanners and exploits. The most interesting is the Sophisticated Cyber Penetration Attacks (SCPA) repository, which contains advanced attack tools and guides from various sources, one of which is last September’s plug and play Conti affiliate playbooks leak, and might still be in use to target future victims.

SCPA repository
Figure 11: SCPA repository

One of the directories also obtained from Conti’s repository leak is the CVE directory, which contains exploits and user instructions from Conti’s playbook. Among the exploits are ZeroLogon and DirtyPipe. The full list contains different and updated versions to those leaked from Conti:

  • CVE-2019-9053.py
  • CVE-2020-1472 Cobalt.txt
  • CVE-2021-41773 Apache 2.4.49
  • Dirty Pipe CVE-2022-0847
  • OpenDreamBox 2.0.0 – Plugin WebAdmin RCE

Metabase_CVE-2021-41277

CVE-2020-1472 exploitation instructions
Figure 12: CVE-2020-1472 exploitation instructions

GhostSec Pastebin Activity

Reconnaissance output on an Israeli target
Figure 13: Reconnaissance output on an Israeli target

In addition to the GitHub account, the group also has a Pastebin user called xGhostSecx, which has been active for a couple of years. The account includes anti-Israeli logs from an online reconnaissance tool, which resulted in a list of domains and IPs of governmental entities in 2021.

Recently, Cyberint detected a paste on a paste site named pst.klgrth.io, published by the group on July 8 with the topic ‘Op Israehell’.  The paste includes partial reconnaissance output of what GhostSec claims to be “state-owned companies”, such as Rafael, Bank Hapoalim, Israel Post, IEC, etc.

The paste includes a target list of several companies’ subdomains and their corresponding IP addresses, which can later be used to execute malicious activity against these companies. Additionally, it is possible that the information gathered may be exploited by other threat actors seeking to attack Israeli companies.

GhostSec Target list as posted on pst.klgrth.io

Conclusion

The GhostSec group is not the usual DDOS/defacement hacktivist group we are familiar with from the #Opisrael operations. The group’s core members have participated in multiple campaigns for a long time. The group maintains its arsenal and set of techniques to assess damage in numerous attack vectors, from website hacking to IoT and ICS/SCADA PLCs.

[1] https://ghostsec420.medium.com/introduction-to-ghostsec-d3b955a8d85a

Want to get a Demo?

Get a personalized demo of Argos and see if your organization is at risk
Get a Demo