Romanian hacktivist GhostShell says computers on Indian infrastructure have security holes

Anand Murali March 21, 2018 6 min

India has at least a few dozen insecure, internet-connected SCADA systems, computers that typically manage and control subsystems in infrastructure installations like power stations and mobile phone towers, according to a hacktivist best known to be behind hacks into NASA, the US Federal Bureau of Investigation, and Chinese government networks.

The Romanian hacktivist, who goes by the name GhostShell, has shared a list of more than 46 vulnerable SCADA systems with their IP addresses and port numbers installed across India. (More on who GhostShell is later in the story.)

While it is not clear what exactly the open SCADA systems – short for supervisory control and data acquisition systems – control or lead to, such systems are usually used in energy, water, power, telecommunication, and transportation installations. They are also used in manufacturing and other industries. They are primarily used to communicate with programmable logic controllers (PLCs) or remote terminal units that monitor, manage and control equipments and machinery. For example, a PLC can be used to automate an electro-mechanical process such as switching on or off a turbine, regulate filtration in a water treatment plant, or control the flow of coolant water to a machinery.

For perspective, the Stuxnet worm attack on Iran’s nuclear establishment in 2010 was a SCADA attack, as were the 2012 attacks on Indian installations including an ONGC rig. That said, there is no indication this time on the potential scale of the vulnerabilities.

“What I sent you for India were Modbus protocols, a protocol that deals exclusively with the logging of traffic from certain companies/power plants, etc. The list that I sent you is made up of servers that are not even password protected. What it means is that all you need is the IP address of your target and the default port number to log in to the server,” GhostShell told FactorDaily on a Twitter chat.

The worst-case scenario can be a shutdown, takeover or siphoning of data through a vulnerable port. Depending on the installation behind the port, this can lead to mobile phone tower being shut down or the power to a whole city block being turned off or even cause permanent damage to some infrastructure. On the other hand, an open port need not mean that it can be hacked – meaning no damage.

A simple IP address look-up on the internet showed that the systems on the list shared by GhostShell are spread across India in cities and towns including New Delhi, Thiruvananthapuram, Bengaluru, Chennai, Indore, Kota, Mohali, and Digboi, among others.

GhostShell said he has alerted different Computer Emergency Response Teams (CERT) across the world, including in India, to report vulnerabilities he has found.

“The SCADA industry is facing a crisis all over the world nowadays because these types of systems don’t have any type of security implanted into them, meaning that anyone with a client for the respective protocol can login to the servers and either do espionage by logging the traffic or cause significant damage. For example the tools/clients can be found everywhere online,” said GhostShell who feels that such vulnerabilities should be fixed or patched to prevent them from being hacked.

Be aware

A Bangalore-based computer security expert said it is not uncommon to find open or vulnerable SCADA systems and sometimes even patching of fixing a lot of these vulnerabilities might not be possible. “A lot of these systems are running versions of operating systems that are not being supported by the OS developer itself and in the case of hard coded logic, the hardware itself might need to be updated,” he said, asking not to be identified.

It should be unlawful for companies to sell systems that cannot be patched or fixed because SCADA vulnerabilities, in some cases, can have disastrous consequences, he said.

GhostShell said his list contains vulnerable ports that can be accessed without much difficulty. “I’m trying to raise awareness about the dangers of open SCADA protocols and how much damage someone can do to them,” said GhostShell, who sent the list of open servers to CERT India on Friday. He immediately received a response from CERT India asking for more details about the vulnerabilities. He said he sent them some details but is yet to hear from them.

A screenshot showing GhostShell being able to access data from one of the insecure SCADA ports
A screenshot showing GhostShell being able to access data from one of the insecure SCADA ports (IP addresses have been masked)

CERTs are essentially formed by countries to look into computer security on systems within its borders. These groups usually comprise experts that analyse vulnerabilities and coordinate their patches, especially in the case of critical infrastructure that is important to the country. CERT India was formed in 2004.

FactorDaily has mailed CERT India for its response on Wednesday morning. We will update the story when we hear from it.

The Indian government has also set up National Critical Information Infrastructure Protection Centre (NCIIPC) and dedicated sectoral CERTs, such as CERT-Thermal-NTPC, CERT-Transmission-POWERGRID etc. that, among other functions, are responsible to look into SCADA vulnerabilities.

CERTs “are usually responsive but their opinion is that they can’t do much about it since the problem lies with the owners of the servers. They (the system owners and vendors) are the ones that need to secure/patch their networks,” says GhostShell.

Remember Stuxnet?

According to a report by Trend Micro, a enterprise security company, the lack of authentication, authorization and insecure defaults was one of the main type of SCADA vulnerabilities it encountered in a study.

The study also found that various vendors work differently when it comes to issuing patches once vulnerabilities were discovered. At an average, it took over 200 days to produce a patch from the day the vulnerability was disclosed to the vendor, the report had stated.

The 2010 cyber attack on Iran’s nuclear enrichment program by the Stuxnet worm is one of the most devastating SCADA attacks recorded and made public so far. The attack considerably slowed down Iran’s nuclear program.

The Stuxnet worm also affected Indian systems with over 10,000 infected Indian computers at the time, 15 of which were located at critical infrastructure installations including the Gujarat and Haryana electricity boards and an ONGC offshore oil rig, according to news reports in 2012.

Earlier last week security researcher Moshe Zioni tweeted about how simple search on Shodan, a search engine to find devices connected to the Internet, exposed over 1,600 unsecure Schneider structure and energy automation systems.

Who is Ghostshell?

GhostShell, claims to be Gheorghe Razvan Eugen, the founder of Team GhostShell and the leader known as GhostShell.

Team GhostShell, romanian hacktivist outfit in the past has hacked NASA, The Pentagon, FBI, The Federal Reserve and other military entities. “I’m passionate about cybersecurity and enjoy finding critical vulnerabilities inside various systems,” said GhostShell.

In 2012, hacktivist group GhostShell had hacked the FBI, the Federal Reserve, Interpol and NASA among others, considered one of the biggest such operations they had undertaken leaking nearly 1.6 million accounts and records. Earlier the same year, the hacktivist group had also breached the servers of 100 top university including Harvard, John Hopkins, Tokyo University, New York University and Princeton among others, releasing 120,000 student records.

Eugen says he currently works in the security industry and is actively reporting SCADA vulnerabilities to various CERTs.

To authenticate his identity, FactorDaily contacted GhostShell on another Twitter handle DeadMellox, which Team GhostShell had used in previous interviews. Though not conclusive, this establishes that the person likely operating the GhostShell Twitter ID is indeed Eugen. Earlier, in an interview to TheNextWeb, Eugen had sent “photos, email accounts and even the private Twitter account he had been using to communicate for several years, @DeadMellox — another pseudonym that had been tied to GhostShell, but has since been abandoned”.


Updated at 11:40 am on March 22, 2018  to add details of locations of the servers from a simple IP look-up. Also, added was visual credits.

Disclosure: FactorDaily is owned by SourceCode Media, which counts Accel Partners, Blume Ventures and Vijay Shekhar Sharma among its investors. Accel Partners is an early investor in Flipkart. Vijay Shekhar Sharma is the founder of Paytm. None of FactorDaily’s investors have any influence on its reporting about India’s technology and startup ecosystem.