GhostSec Raising the Bar

Introduction

In June 2022, Cyberint observed a new hacktivist campaign targeting multiple Israeli organizations and enterprises coordinated via different social media platforms. The campaign is led by hacktivists originating in a group called GhostSec.

GhostSec was first identified in 2015 and was initially founded to attack ISIS in the cyber realm as part of the fight against Islamic extremism. In past years, the group participated in several campaigns against several counties including Nigeria, Colombia, Lebanon and South Africa. From the start of the Russian-Ukrainian war, the group sided with Ukraine and published mainly Russian-related leaks, DDOS, and content under the campaign #OpRussia.

At the end of June 2022, the group declared it was joining the #OpIsrael campaign. Immediately after their announcement, the group pivoted from their regular operations and started to target multiple Israeli companies, presumably gaining access to various IoT interfaces and ICS/SCADA systems, which led to possible disruptions.

The group is well aware of the public relations and news activities related to their operations, responding on social media platforms about what they are up to. Group members are mainly active on Telegram and Twitter, the platforms primarily used to share their target lists and attack results.

OVERVIEW

GhostSec, a vigilante group managed and operated by hacktivists, was originally founded prior to 2014 and was initially called ‘We Are The Resistance’.

Acting as ‘We Are The Resistance’, the group didn’t participate in glorious attacks and campaigns, instead mainly trained enthusiastic beginner-level cyber candidates (a.k.a script kiddies), including publishing various cyber-quizzes.

In 2015, the group’s activity increased and they rebranded themselves as GhostSec joining the fight against ISIS and Islamic extremism. Throughout 2015, the group was associated with taking down hundreds of ISIS websites and social media accounts while gaining the cooperation of law enforcement. By the end of 2015, GhostSec decided to transform its fight against ISIS officials, stopped cooperating with the Anonymous hacktivist group, and renamed itself Ghost security Group[1].

The members who opposed this process continued operating under the name GhostSec and currently seem to target Israeli and American companies.

Social Media Presence

The GhostSec hacktivist group is active on multiple social media platforms:

• Twitter: https://twitter.com/ghost_s3curity
• YouTube: https://www.youtube.com/hashtag/ghostsec
• Telegram: https://t.me/GhostSecc

The group maintains a Telegram account with currently more than 8K followers. The account is mainly used for publications and announcements rather than as a sharing tools or instructions. Their Telegram group has been active since November 2020 and was involved in several campaigns including #OpNigeria #OpColombia and #OpRussia.

Additionally, Cyberint was able to trace several social media accounts of GhostSec members:

Attacks Timeline, Tools and Procedures

Main GhostSec Cyber Attacks Against Israeli Targets

Going back to 2018, Cyberint detected that the group was targeting the Israeli Airforce website. GhostSec took responsibility for the website’s takedown on their Twitter account.

An additional attack on an Israeli target was published in 2021, when the group attacked H.R.V.A.C., an Israeli engineering company involved in the Ben Gurion Airport Energy Center project. According to GhostSec, the website was taken down, and the data was dumped. Later, in 2021, the group shared a thin 10MB file presumably containing internal data from the H.R.V.A.C website.

The subsequent activity against Israeli targets began on June 28, 2022, followed by an announcement that the group had officially joined the ‘OpIsrael’ campaign due to continuous Israeli attacks against Palestinians.

Less than an hour later, an IoT attack began. The group uploaded a video to their Telegram channel that showed that an air conditioning interface belonging to bezeqint.net, a major ISP in Israel, was hacked.

On June 29, the group shared additional video evidence of the exposed interface of ELNet, an energy meter and electrical power meter at MATAM (acronym for the Scientific Industries Center) being accessed by the group. According to the group, they gained access to five similar IoT devices in different locations and modified the settings to switch the lights off in all five of them.

Another IoT device was added to the victim’s list: The group accessed the Partner.co.il interface of an IoT-based smart sprinkling system. However, there was no evidence of a disruption of the systems’ workflow.

On July 6, the group shared screenshots of EEM devices, measuring electrical parameters in low-voltage. In addition, the group also shared Or Akiva’s pump station IoT interface, whose activities the group claims to have disrupted.

After deploying IoT attacks on multiple Israeli Organizations, the group shifted into the SCADA/ICS domain, attacking  Israeli PLCs (Programmable Logic Controller) using the Metasploit framework module “auxiliary/admin/scada/multi_cip_command”. This vulnerability was first disclosed in 2012, and continues to be modified (2020). The exploit implements the CPU STOP command, as well as the ability to crash the Ethernet card in an affected device.

To date, around 5000 PLCs worldwide are exposed via port 44818, and might be affected by this kind of attack.

GhostSec GitHub and Conti Affiliate Leak

The group members maintain several GitHub accounts. These accounts contain tools that group members use. The main repository used by the group, ghostsec420, includes seven repositories, some of which include campaign output such as the NigeriaLeaks, vulnerability scanners and exploits. The most interesting is the Sophisticated Cyber Penetration Attacks (SCPA) repository, which contains advanced attack tools and guides from various sources, one of which is last September’s plug and play Conti affiliate playbooks leak, and might still be in use to target future victims.

One of the directories also obtained from Conti’s repository leak is the CVE directory, which contains exploits and user instructions from Conti’s playbook. Among the exploits are ZeroLogon and DirtyPipe. The full list contains different and updated versions to those leaked from Conti:

• CVE-2019-9053.py
• CVE-2020-1472 Cobalt.txt
• CVE-2021-41773 Apache 2.4.49
• Dirty Pipe CVE-2022-0847
• OpenDreamBox 2.0.0 – Plugin WebAdmin RCE

Metabase_CVE-2021-41277

GhostSec Pastebin Activity

In addition to the GitHub account, the group also has a Pastebin user called xGhostSecx, which has been active for a couple of years. The account includes anti-Israeli logs from an online reconnaissance tool, which resulted in a list of domains and IPs of governmental entities in 2021.

Recently, Cyberint detected a paste on a paste site named pst.klgrth.io, published by the group on July 8 with the topic ‘Op Israehell’.  The paste includes partial reconnaissance output of what GhostSec claims to be “state-owned companies”, such as Rafael, Bank Hapoalim, Israel Post, IEC, etc.

The paste includes a target list of several companies’ subdomains and their corresponding IP addresses, which can later be used to execute malicious activity against these companies. Additionally, it is possible that the information gathered may be exploited by other threat actors seeking to attack Israeli companies.

Conclusion

The GhostSec group is not the usual DDOS/defacement hacktivist group we are familiar with from the #Opisrael operations. The group’s core members have participated in multiple campaigns for a long time. The group maintains its arsenal and set of techniques to assess damage in numerous attack vectors, from website hacking to IoT and ICS/SCADA PLCs.

[1] https://ghostsec420.medium.com/introduction-to-ghostsec-d3b955a8d85a