Hacktivist group GhostSec claims first-ever Ransomware Attack against an RTU

On January 11, 2023, GhostSec, an affiliate of Anonymous, claimed that it had executed the first-ever ransomware attack on a Remote Terminal Unit (RTU), a small device commonly used in Industrial Control Systems (ICS). The group stated that the attack was carried out as part of its "OpRussia" operation and was executed with GhostSec ransomware. The group has also been previously associated with compromises of programmable logic controllers (PLC) and other OT devices. Team82, a research arm of cybersecurity company Claroty, analyzed the group's claim and discovered that the attack targeted a TELEOFIS RTU968 V2 device in Belarus and encrypted the files by changing its suffix.

The increasing threat of attacks against industrial operations and environments is a significant concern for organizations. These attacks can target critical infrastructure such as power plants, transit operators, and oil refineries, leading to potentially devastating consequences such as physical damage, financial losses, and harm to human life. In addition, the growing use of interconnected technology and exposure of control systems to the IT infrastructure has made these assets more vulnerable to cyber-attacks, making it essential for organizations to have robust security measures in place to protect against such threats. With the potential impact of these attacks becoming more severe, it is vital for organizations to be proactive in their approach to security and to prioritize their efforts to ensure the safety and protection of their operations and control networks.

The TELEOFIS RTU968 V2 is a considerably modern device compared to the RTUs typically seen in power plants and is more similar to an IoT device, having a built-in 3G router with both wired and wireless connections. The RTU968 V2 is considered an RTU because it supports industrial interfaces like RS-232 and RS-485 and can convert industrial protocols like Modbus RTU/ASCII to Modbus TCP.

The RTU968 V2 has an ARM9 general-purpose microprocessor and runs OpenWrt 21.02.2 operating system, a Linux distribution. Through further investigation, the Team82 researchers determined that the device comes with an SSH service enabled by default on port 22 and allows using a root password as an authentication method. The default root password on the device is very weak and can be broken with hashcat password recovery tools in two seconds.

By scanning the public internet, Team 82 discovered 194 internet-exposed devices, of which 117 have SSH service enabled. Attacks against devices running Linux distributions and similar IoT devices or devices with similar connectivity exposed to the internet are not new.

Organizations that operate ICS environments and networks should ensure that:

• Field devices like RTUs and PLCs are hardened by disabling protocols and services that are not required;
• Default accounts are disabled where possible;
• Complex passwords are configured where supported;
• Security patches are regularly implemented;
• The communication between the RTUs, PLCs, and SCADA systems are encrypted, and;
• The SCADA networks are segregated and completely isolated from the public internet and IT networks.

The growing threat of attacks against industrial operations and environments is a serious concern. Companies must assess their threat landscape and implement comprehensive cyber security measures to protect their systems, data, and assets. If required, work with a trusted third-party security provider. With the increasing sophistication of cyber criminals, organizations must stay proactive in their security efforts to stay ahead of potential threats.

Ribeiro, A. (2023, January 13). Hacker group discloses ability to encrypt an RTU device using ransomware, industry reacts. Industrial Cyber. Retrieved January 19, 2023, from https://industrialcyber.co/industrial-cyber-attacks/hacker-group-discloses-ability-to-encrypt-an-rtu-device-using-ransomware-industry-reacts/