GhostSec hackers target satellites to “change the world”

The GhostSec hacktivist collective takes aim at big targets like satellites, train infrastructure, and industrial control systems. Hackers say they don’t fear repercussions because fighting for freedom is simply worth it.

Since the start of the cyber age, hackers have always explored new ways to uncover and exploit new attack vectors. After all, tinkering with technology is the driving force behind a hacker’s existence and way of life.

Regardless of the motive, whether it be ideology, political views, or any other factor, the root of it all stems from the fact that technology is often like a house of cards. With the right push, every obstacle will be thrown down, be it for good or ill.

However, there has been a paradigm shift in enterprise attacks targeting industrial environments. This means hackers and trends in the cyberattack landscape are evolving exponentially. The targets are getting bigger because threat actors are dreaming bigger.

“We notice the injustices and everything going around the world and we know we have the skill sets to change it. So we will do what we can to change the world for the better!”

Alexander said.

Last spring, the self-described cyber vigilante group known as GhostSec made headlines after penetrating Israeli Industrial infrastructure and sabotaging 11 Global Navigation Satellite System (GNSS) devices. This enabled the hacktivists to wipe the data collected from each satellite they accessed and disable the recording of future data acquisition from the satellites. According to the group, some of them contained over 30GB of data.

“I cannot go over all the details, obviously,” said Sebastian Dante Alexander, the leader of GhostSec, in an interview with CyberNews. “But first, we gathered the targets yes, and then some of the targets were using an easy login while others we had to find other ways to get access.”

This means that, after enumerating a list of viable targets, some were susceptible to more traditional means of intrusion, whereas others were researched in depth.

In response to whether their attacks caused any setbacks to Israel, he explained that, besides the data falling into their hands, which was an obvious concern for the authorized controllers of the GNSS devices, “we also deleted all the data after exfiltration to the point of no return. This resulted in them losing almost all, if not all, the data on the satellites and having to rely on only the new data being sent to the receivers.”

Moreover, the group also claimed responsibility for breaking into 15 various Aegis-2 Controllers, affecting the water pumps of Israeli hotel swimming pools. These are used for controlling the chlorine and pH levels in the water.

"Hope you all can understand our decision on not attacking their pH levels and risking a chance to harm the innocents of #Israel," the hacktivists declared in a Tweet. "Our 'war' has always been FOR the people not against them. #FreePalestine."

The attacks were launched in a cyber protest against the April 2023 violent clashes involving Israeli police and Palestinians at the Al-Aqsa mosque on the temple mount during the holy month of Ramadan.

Therefore, the hacktivist group took matters into its own hands in a high-level cyberattack, which is unusual among the general caste of actors within the Anonymous collective. Whereas denial of service and website defacements are commonplace, this hacker group has been known to raise the bar.

While the exploits behind this ambitious hacktivist group make waves with every attack, all politically motivated groups stand upon an idea, and it’s the idea that serves as the foundation by which all decisions are made and defended.

“We, as hackers, know what we are capable of,” said Dante Alexander when asked about the group’s ideology behind their actions. “And yes, we do many things, not just hacktivism. But our main thing is hacktivism, and why do we do it? Well, we do it because we can. We notice the injustices and everything going around the world and we know we have the skill sets to change it. So we will do what we can to change the world for the better!”

An evolving landscape of hacktivism

GhostSec has left a pattern of sophisticated cyberattacks against critical industrial infrastructure across the globe. Last year, the group claimed responsibility for causing a massive explosion at the Gysinoozerskaya hydro-electric power plant in Russia after seizing control of the plant’s ICS (Industrial Control Systems). It was a powerful show of force, carried out in an effort to restrain Russian military advancement against Ukraine.

The group seized control of the power plant’s ICS and bombarded the network with a DDoS (Distributed Denial of Service) attack. This type of attack overloads a target server with a flood of requests, which consumes network resources and forces it to crash.

The attack was meticulously calculated. The group strongly emphasized on social media that the attack on the power plant’s ICS controls was chosen with careful precision and timing to preserve human life by eliminating the possibility of causing collateral damage.

In the instances where the group commandeered access to both the Russian and Israeli industrial controls, the attacks share a common theme, which arguably paints a broader picture of the character and motive of this group: the preservation of human life.

This is the same group whose rise to prominence was through supplementing actionable counter-terrorism intelligence to US law enforcement, which averted ISIS terror plots in Tunisia and New York. In both instances, which extend to the Russian power station sabotage, and Israeli hotel water pump take-overs, the group has demonstrated that saving human life is ultimately a key component of their hacktivities.

However, safeguarding human life arguably might not be the agenda of other hacktivists, especially in the mainstream hacktivist subculture, who are often moved by a judicial militia kind of fervor that promotes warmongering behavior and mob mentality.

It begs the question if there are actors in hackerspaces that promote and believe that “the end justifies the means.” This reminds me of a quote by Winston Churchill, who once said: We sleep safely at night because rough men stand ready to visit violence on those who would harm us.

But I digress.

To name yet another milestone in this ambitious group’s trail of hacktivities, their attacks encompass a wide range of systems, spanning from SCADA (Supervisory Control and Data Acquisition), ICS (Incident Control Systems), and more.

One of their notable industrial sabotages in their support for Ukraine and subsequent resistance against Russia’s military advancement includes immobilizing every train in Russia’s Metrospetstekhnika’s IT system. “We prevented supplies reaching the forces stationed in Ukraine and also prevented supplies coming from Belarus to Russia,” Dante Alexander explained.

Experts rethink satellite security

A month prior to the cyberattack, the group Tweeted about their successful campaign against a Russian GNSS satellite receiver as an act of protest against Russian President Vladimir Putin and the country’s invasion of Ukraine. According to Sebastian Dante Alexander, this satellite receiver was used as a military asset.

Researchers from Cyble Research Intelligence Labs (CRIL) discovered the group’s involvement in hacking SATCOM devices, as well as activities carried out by other groups which have increased security risks and attacks against the digital landscape of the space sector.

Earlier this year, the group claimed responsibility for executing the so-called ‘first-ever’ ransomware attack on an industrial RTU router. This type of router is typically used in industrial control systems to enable remote communication. This allowed the group to encrypt the files and prevent access to industrial controls to obstruct authorized users from reclaiming control over the affected devices.

GhostSec announced, “YES! We just encrypted the first RTU in history! A small device designed only for an ICS environment! We knew, you knew, that the time sooner or later would come. Well, it has come!”

The claim was verified by Team82 researchers from the industrial cybersecurity company Claroty. They were able to confirm that the data published on GhostSec’s public Telegram group demonstrates the group’s ability to encrypt an industrial RTU router exhibiting SCADA functions that also provide support for industrial serial interfaces RS-232 and RS-485, including variations of MODBUS protocol.

These relentless high-level cyberattacks, hitting every possible vector within the industry, have worried researchers, and rightfully so. Researchers with CRIL assert that it's imperative for public and private entities to work together to formulate solutions to safeguarding threats to the space industry.

Researchers are now contemplating the ramifications that may ensue if hacktivists, cyber criminals, or state-sponsored actors gain access to industrial control infrastructure used as space assets for National Security and public safety.

“If an attacker corrupts satellite modems, it can have severe consequences,” the CRIL team said. “The transmitted data’s confidentiality, integrity, and availability can be compromised, leading to security breaches, espionage, or sabotage.”

Essential sectors like the Government, Armed Forces, Telecommunications, Power, Utilities, and Transportation heavily depend on satellite modems, because satellite modems play an essential role in relaying telemetry information and managing spacecraft activities within the Aerospace sector. These serve as critical assets in remote sensing and earth monitoring applications. Therefore, they must be protected.

Amidst the ongoing, unresolved Russia-Ukraine war and the relentless surge of global conflicts, the fate of the masses hangs in the balance, dictated by the executive choices of a privileged few who wield absolute power.

Historically, this is why hacktivists emerged in the first place.

While hacktivists will continue to proliferate as geopolitical turmoil rises, there are no words that will definitively divert the growth of the inevitable. Notwithstanding, Sebastian Dante Alexander offered the following encouragement, addressed to all people aspiring to stand up for what they believe in:

“These words will be for anyone, not just hacktivists and hackers. Starting with the cliche to never give up and keep chasing your goals – but it is true, NEVER EVER STAND DOWN.”

He continued, saying: “Second up, fight for what you believe in, no matter what is. If you believe in it, you fight for it, and of course, that includes your rights and [for] the people around you. Everyone can make a difference and a change in this world. And most importantly, live freely. Find your freedom, your way, and enjoy this life that has been given to us. Do not regret anything. Do whatever you want with no regrets in this life, live free like a bird.”

Furthermore, he explained that it is imperative to disengage from groups or people that are chasing fame and recognition. In this way, hacktivists and those aspiring to learn about hacktivism will have a greater chance to achieve whatever they set their minds to.

“To have a united front … without having petty arguments and drama over fame, they will achieve whatever it is they want to achieve.”


prefix 1 year ago
These are no heroes. They're hacking businesses for profit now - breaching their databases and selling the contents for thousands of dollars. Sebastian isn't a hacktivist, he's a straight up criminal.
Leave a Reply

Your email address will not be published. Required fields are markedmarked