SecurityWeek reports that pro-Ukraine hacktivist group GhostSec is having its claims of launching the first-ever ransomware attack against an industrial control system device questioned by cybersecurity experts.
GhostSec alleged that it was able to compromise a remote terminal unit in Belarus, a major ally of Russia, and while files were encrypted as a result of the intrusion, no ransom has been demanded. However, SynSaber noted that attacks against the targeted device, a Teleofis RTU968, which runs on the popular Linux OS OpenWrt, have been done before.
"Given that these devices are running generic Linux kernels that happen to be providing connectivity to serial devices (which, of course, could be industrial), theres nothing in the evidence supplied by GhostSec that industrial was specifically attacked or that this attack represents a new paradigm shift in industrial hacking," said SynSaber Chief Technology Officer Ron Fabela.
Moreover, developing common RTU-targeted attacks would require more operational technology knowledge and resources on the part of GhostSec, noted Otorio.
GhostSec was also discovered by researcher Joe Slowik not to have encrypted all files within the device during the attack, with in-use files unencrypted.
"The requirements and implications of true industrial ransomware at the RTU or PLC level make this a very unlikely domain for criminals to operate in," said Slowik.
Organizations in the government, real estate, telecommunications, retail, and other sectors across the U.S., Africa, and the Middle East have been subjected to intrusions under the new CL-STA-0002 threat cluster.