GhostSec Ransomware Group Claims to Launch ‘First RTU Attack’

Taking ransomware attacks a notch higher, GhostSec ransomware group has claimed to encrypted an RTU. If the claim is true, this would be the first such instance reported. RTUs or remote terminal units are perimeter supervisory control and data acquisition (SCADA) devices that measure and control actual physical devices.

“There is no notification letter, no payments. Belarus, you have just lost some RTUs,” the threat group posted on its leak site.

Ghost Security, also referred to as GhostSec, is a group that positions itself as a “vigilante” organization established to target websites associated with ISIS and the promotion of Islamic extremism. First discovered in October 2021, this pro-Ukraine threat group is considered a spin-off of the Anonymous hacking group.  

GhostSec ransomware group is known to target mainly businesses and organizations. It is spread through phishing emails, exploit kits, and other methods. The attackers behind GhostSec typically demand payment in Bitcoin or other cryptocurrencies. 

GhostSec and the first RTU attack 

#GhostSec claims to have conducted the first ever #ransomwwre attack against an RTU – remote terminal unit used in ICS environments.@uuallan @RobertMLee#cybersecurity #infosecurity #infosec #cyber pic.twitter.com/ks3MNyeVEJ

— CyberKnow (@Cyberknow20) January 11, 2023

According to sources, the perpetrators behind the RTU attack claimed these are rare and that they are the only ransomware gang that was able to pull off such an attack. However, there is no confirmations whether the claim made by the GhostSec ransomware group is true.

RTUs are  used to remotely control and monitor industrial systems, such as those used in power plants, oil and gas facilities, and water treatment plants. 

In an RTU attack, a hacker may gain unauthorized access to an RTU and use it to disrupt the operation of the industrial system it controls, potentially causing significant damage or even physical harm. These attacks on RTUs are often targeted and take advantage of vulnerabilities in the devices or communication protocols they use. 

Everybody knows GhostSec has been “raising the bar” since we started attacking ICS, now it’s time to push the hacking history even further beyond! It’s time to write our name in a new hacking game, it’s to start a new race. Everyone has obviously heard about a ransomware that attacked a Windows desktop, some server, some lot, but we would like to announce the first RTU attack”, read a post by the threat actor, shared by CyberKnow on Twitter. 

What is RTU? 

RTU stands for Remote Terminal Unit in the industrial automation and control system (IACS) field. It is a device that monitors and controls industrial equipment and processes remotely.  

The RTU is typically connected to sensors, actuators, and other devices and communicates with a central control system or “master” device, such as a Programmable Logic Controller (PLC) or a SCADA (Supervisory Control and Data Acquisition) system, to provide real-time data and control signals. 

RTUs are used in oil and gas, water and wastewater treatment, and power generation industries. They are designed to operate in harsh environments and can be located on-site or remotely, connected via wired or wireless communication.  

They can be programmed to perform specific tasks, such as monitoring and controlling field devices, collecting and analyzing data, or issuing alarms and alerts.