Early morning on January 11, 2023, the group “GhostSec” made some pretty wild claims on their Telegram channel regarding an ICS hack where they were the first to encrypt an RTU (remote terminal unit):
“Everyone has obviously heard about a ransomware that attacked a Windows desktop, some server, some IoT, but we would like to announce the first RTU attacked!”
“YES! We just encrypted the first RTU in history!”
(For more on GhostSec, check out https://en.wikipedia.org/wiki/Ghost_Security)
Let’s break down the evidence provided along with the claim, some basic OSINT (open source intelligence) gathering, and insights as to whether this claim is all it’s cracked up to be.
The Spectre of Big Claims Online
No doubt, industrial control systems are under attack. We hear it in the form of government advisories and see numerous presentations by experts on the subject. Nevertheless, we as a community cannot take every claim at face value.
Here we have an opportunity to dig into the evidence provided directly from the source: claims and screenshots directly from the attacker.
A series of screenshots and statements are still available on the GhostSec Telegram channel.
You can see them for yourself at https://t.me/GhostSecc/410
- Claim 1: GhostSec “raises the bar” by being the first to encrypt data on an RTU
- Claim 2: The age of ransomware coded to attack ICS devices “just became a thing”
Attached to the message were two screenshots of a command line interface. That’s where things get interesting.
Let’s delve into what victimology insights can be gained about the attack.
Spirit of an RTU
First, let’s start with what an RTU is in the industry, and the specifics around the RTU shown in the screenshots. For background details on what an RTU really is, please see this post from RealPars: https://realpars.com/rtu/
The screenshots provided by GhostSec are intended to be the before and after proof of claim #1.
A few important data points:
- Banner notes the vendor of the device as TELEOFIS
- Build notes for RTU968V2 v.2.6.95
- OpenWrt Chaos Calmer is interesting
- Most industrial RTUs do not run Linux, but real-time operating systems custom-built for industrial control
So what is a TELEOFIS RTU986V2? I’m glad you asked.
Here is the specific product information for the target device:
As we can see from the product page, this is a 3G router that has the capability to connect to serial devices, and supports network functions such as firewall/OpenVPN, and other functions.
Confidence that this is the correct device increases when looking at the footnote on this page indicating the use of OpenWRT (https://openwrt.org/). This matches the information contained within the GhostSec images.
Further searching and we’ll see that TELEOFIS has bootloader, firmware, and SDK files for this specific device on GitHub:
So the big question… is this really an RTU? Is their claim to have “encrypted the first RTU in history” valid?
While the claim is technically correct in that TELEOFIS (the device vendor) labels this device as an RTU, digging deeper into the product lines, these are communications gateways and routers that can be applied to any environment, including industrial control.
Given that these devices are running generic Linux kernels that happen to be providing connectivity to serial devices (which, of course, could be industrial), there’s nothing in the evidence supplied by GhostSec that industrial was specifically attacked or that this attack represents a new paradigm shift in industrial hacking.
Let’s expand that out a bit:
- Just because something is labeled an RTU doesn’t mean encrypting its files is groundbreaking or innovative
- Hacking and encrypting Linux devices is not new https://www.trendmicro.com/en_us/research/22/e/new-linux-based-ransomware-cheerscrypt-targets-exsi-devices.html
- Exploits and hacks against this class of device (communication gateway providing remote connectivity to serial devices) are also not new https://www.rapid7.com/blog/post/2013/04/23/serial-offenders-widespread-flaws-in-serial-port-servers/
Skepticism and Research: Investigate Claims of an ICS Hack
Whether technically true or not, groups like GhostSec, the Cl0p gang, and others continue to research and discover OT attacks and ICS hacks (see my breakdown of the ICS hack claim regarding South Staffs Water at https://synsaber.com/south-staffs-water-hack-part-1/).
The paradigm shift isn’t that someone can attack a Linux/OpenWRT device. Rather, it’s the pivot by threat groups on how to take traditional enterprise attacks and apply them to industrial environments. It was also trivial to find these exact devices online via tools like shodan.io.
This example by GhostSec shows new threat groups’ lack of understanding about ICS. It also gives the community a glimpse at the group’s intent, something exceedingly difficult to measure otherwise. After looking at the evidence presented, it may be easy to dismiss the bold claims by GhostSec.
But the fact remains that ICS will be targeted, and threat actors see the value in attacking (or claiming to attack) ICS. As a community, we must all be well-informed, skeptical, and empowered to understand these claims, defend our ICS, and fight for the operator!