Red Hot Cyber
Cybersecurity is about sharing.
Recognize the risk, combat it, share your experiences,
and encourage others to do better than you.
RHC Dark Lab : 12 June 2025 08:33
Ghost Security, also known as GhostSec, is a hacktivist group which emerged in the context of the cyber war against Islamic extremism. The first actions of the group date back to the aftermath of the attack on the Charlie Hebdo newsroom, January 2015. It is considered an offshoot of the Anonymous collective, from which it later partially broke away. GhostSec became known for its digital offensives against websites, social accounts and online infrastructure used by ISIS to spread propaganda and coordinate terrorist activities.
The group claimed to have shut down hundreds of ISIS-affiliated accounts and helped thwart potential terrorist attacks by actively collaborating with law enforcement and intelligence agencies. GhostSec also hacked an ISIS dark website, replacing the page with an advertisement for Prozac – an action as symbolic as it is provocative. The group promotes its activities through hashtags such as #GhostSec, #GhostSecurity and #OpISIS.
In 2015, after the Paris attacks, Anonymous launched its largest operation against terrorism and GhostSec played a key role in the cyber battle. Following increased cooperation with the authorities, part of the group decided to “legitimise” itself by forming the Ghost Security Group, breaking away from Anonymous. However, some members opposed to this change kept the original name “GhostSec” and continued their mission within the Anonymous network.
Vuoi diventare un esperto del Dark Web e della Cyber Threat Intelligence (CTI)?
Stiamo per avviare il corso intermedio in modalità "Live Class", previsto per febbraio.
A differenza dei corsi in e-learning, disponibili online sulla nostra piattaforma con lezioni pre-registrate, i corsi in Live Class offrono un’esperienza formativa interattiva e coinvolgente.
Condotti dal professor Pietro Melillo, le lezioni si svolgono online in tempo reale, permettendo ai partecipanti di interagire direttamente con il docente e approfondire i contenuti in modo personalizzato.
Questi corsi, ideali per aziende, consentono di sviluppare competenze mirate, affrontare casi pratici e personalizzare il percorso formativo in base alle esigenze specifiche del team, garantendo un apprendimento efficace e immediatamente applicabile.
Per ulteriori informazioni, scrivici ad [email protected] oppure scrivici su Whatsapp al 379 163 8765
Supporta RHC attraverso:
Ti piacciono gli articoli di Red Hot Cyber? Non aspettare oltre, iscriviti alla newsletter settimanale per non perdere nessun articolo.
Over time, GhostSec’s activities expanded beyond the anti-ISIS front. With the outbreak of the conflict between Russia and Ukraine, the group took a clear pro-Kiev stance. In July 2022, GhostSec claimed an attack on the Gysinoozerskaya hydroelectric power plant in Russia, which resulted in a fire and the interruption of energy production. The group emphasised that the attack was planned so as to avoid civilian casualties, demonstrating very specific operational ethics.
Red Hot Cyber recently requested an interview with GhostSec. A decision in line with our philosophy: to really counter threats, you have to know the demons. It is only by listening to what they say – analyzing their methods, motivations, targets – that we can strengthen the cyber resilience of our critical infrastructure.
1 RHC – Hello, and thank you for giving us the opportunity to interview you. In many of our interviews with threat actors, we usually start by asking about the origin and meaning of their group’s name. Could you share with us the story behind yours?
GhostSec : We are GhostSec our name doesn’t have much behind it except it came from a much edgier time on the internet, though we were around since 2014 initially under a different name and really got our rise in 2015 during our attacks against ISIS causing them serious damage in a way no one else was able to do. Including us being able to stop two attacks in that time.
2 RHC – We first came to know you back in 2015 during the #OpISIS operation, but since then your group has gone through various events and internal splits. Today, between hacktivism, profit-driven cybercriminals, and state-sponsored actors, does a form of genuine hacktivism still exist—one that is free from economic interests?
GhostSec : The cost and risk of hacktivism is no longer free like how it was back then, things have changed and money is needed to atleast fund a hacktivists operations. There is a form of genuine hacktivism but it will always require some funding some of these hacktivists may get it from requesting donations, some may sell databases, and others may go for larger things. At one point even we had to commit cybercrime for a profit to keep funding our operations. So in between the whole mess the answer is yes, there is genuine hacktivism and proper hacktivists still around including ourselves though it is clear money makes the world move too. and power without money will not be as effective.
3 RHC – We were quite struck by the fact that an Italian company may have commissioned a group of hacktivists to carry out an attack against a government. Has it ever happened before that private companies approached you to target other organizations or state entities?
GhostSec : That was the first time but it wasn’t the last, without saying too much we as hacktivists can pick what we say yes too and if it fits our motive and has a benefit + we get the added bonus of getting paid it is always a good thing. To be clear though it was a private company but we do know it is tied to the government.
4 RHC – How common is the practice of private companies commissioning cyberattacks from hacker groups?
GhostSec : Nowadays with everything becoming more technological and the “old school” ways of dealing with things is dying out, I assume it will become more common it wont just be from government entities but corrupt companies trying to get rid of their competition or similar concepts may occur.
5 RHC – In your opinion, where is the line between hacking as an act of political protest and hacking as a crime? How do you see your actions fitting into society?
GhostSec : Hacktivists can do much more than DDoS attacks and defaces to make a statement, The line really gets drawn when innocents start to get into the mix or getting hurt due to the attacks being done for example if the hacktivist commits Credit card fraud or similar things it is considered just plain cybercrime. Our actions and other hacktivist actions are needed in society but speaking for ourself our attacks are much larger than just DDoS attacks or defaces, our different breaches, SCADA/OT hacks, and more do leave an impact in the world and in the situations going on. We believe our expanding and us “taking” potential contracts that also align with our agenda and motives are not wrong and only leave and even greater impact on the world while we also earn some money.
6 RHC – Your group has been particularly active in targeting SCADA and ICS environments.
From a CTI perspective, what drives this strategic focus? Are these targets chosen for their symbolic value, operational impact, or something else?
GhostSec : They are chosen due to their impact and value. OT and SCADA systems when attacked having physical impacts so besides our typical breaches and exposes revealing information having a physical impact is also very damaging for the target.
7 RHC – We’ve observed increased interest in ICS systems from other threat groups like SECTOR16 and CYBER SHARK. Do you think ICS/OT infrastructures are properly secured today? From our assessment, many of these environments are deployed and maintained by integrators with little to no cybersecurity training — creating major attack surfaces. What’s your opinion?
GhostSec : They are not properly secured and you are right many of them are deployed and maintained with very little security in mind, even after an attack often times they do not take security that serious. There are some cases where OT devices can be properly secured and Isolated but the majority and most common case is that it is easy to find and even easier to access.
8 RHC – We’ve observed growing attention toward surveillance systems and video monitoring infrastructures. Can you elaborate on the rationale behind targeting CCTV or VMS technologies? Is it about visibility, control, or sending a message?
GhostSec : When it comes to a nation not at war I personally don’t see the interest behind this other than it being a bit creepy but if we say that we can access CCTV or video monitoring infra in Israel, or specific areas in Lebanon, Syria, Yemen and other nations at war we can have direct footage of potential evidence. That would be one real use case while another could be if an attacker is hacking a target and they would like to see the reaction or get footage of the attack being executed in real time lol having a video feed would be nice.
9 RHC – Does your group also consider video surveillance systems (such as CCTV and VMS platforms) as viable targets, or do you generally prefer to avoid them?Is there a specific operational or ethical rationale behind this choice?
GhostSec : As stated previously we generally avoid them unless its needed or beneficial in the current operation we are working on, if the CCTV is some persons house or shop and is accidentally left open then it is completely pointless for us to use it. There is no real use case behind it.
10 RHC – Coming to the matter discussed in the DarkCTI interview: Would you be open to sharing more details on what happened with the Italian company that allegedly commissioned attacks on North Macedonia and later on a Sardinian target?
Are there still negotiations ongoing, or has the company outright refused to pay for the delivered services?
Any additional context you can share would be highly valuable to understand the implications of such operations.
GhostSec : We will be sharing more details soon on our telegram channel about what happened and this time actually discussing the names involved, and more. There are no negotiations we tried to negotiate and speak but at one point they started ghosting which is ironic we know, and even after warnings they continued to ignore us which led us to the publish that we made. This company hired us to change somethings in MK initially which was for the better for the country, then we did some defensive work and after a while MOD AND MOI in MK needed us to start taking care of different issues, The Italian company then also had us take care of a company in Sardinia which we assume were competitors though that company we’d like to also say this company did deserve it to as they were involved in various fucked up things of their own including operations in the Middle east, Europe and they have had activity directly in Italy.
11 RHC – At a certain point in GhostSec’s history, there was a notable split: some members transitioned into the Ghost Security Group, aligning with white hat operations and even cooperating with government agencies, while others remained true to the original path — continuing activities in the black hat space. Could you tell us more about that split? What were the key motivations behind it, and how did it impact the identity and strategy of the group as it exists today?
GhostSec : The split had no key motivations besides the US government trying to ruin us or turning us into assets to them. There’s not much to say beyond that about the motivations those who joined had their reasonings which is understandable and those who stayed did not want be on a leash like dogs we seek our own freedom and joy in our art of hacking. Because of the split and sticking true to ourselves we were able to grow even further, no leash on us having complete freedom over our decisions, and then went beyond just terrorist hunting.
12 RHC – What do you see in the future of the Ransomware-as-a-Service (RaaS) model?
Victim numbers are still rising — for example, in Italy alone there have been 71 confirmed ransomware victims since the beginning of 2025 — yet the number of paid ransoms appears to be quite low. In your opinion, how will threat actors adapt to this?
Do you foresee new monetization strategies or a shift in tactics to increase pressure on victims?
GhostSec : eventually if less and less people are paying they will have to shift monetization strategy entirely, while some groups will stick to ransomware as its been around for a long long time now those that will stick to it may find new ways to increase pressure. While the majority will switch to other monetization strategies based on whatever is currently trending at the moment.
13 RHC – If you were to advise a company on where to start in order to become resilient against cyberattacks like yours, what would you recommend?
GhostSec : A budget in cybersecurity is a great start but its much more than just that, A budget in training your employees to at least understand and prevent themselves from falling for Social engineering attacks. A budget set into pentests every quarter for example is great that way every quarter you will have a checkup on your security as a whole. These are some requirements to making sure you are more resilient.
14 RHC – Many groups define themselves as hacktivists, but it’s often revealed that they operate on behalf of governments or with financial motives. In your view, what are the criteria that truly distinguish a hacktivist from a cybercriminal or a digital mercenary?
GhostSec : You can often times tell a Hacktivist is truly passionate about the work they are doing it, the impact they are giving out. You can see it in the way they work, speak, publish, and present themselves. While cybercriminals or mercenaries will have the motive of money you cannot see or feel that same passion from them, they may have love for the art of hacking but you will need feel true passion towards the change and effect that they have.
15 RHC – What is the main motivation that drives you to keep going? Is it the desire for impact, recognition, or ideology?
GhostSec : We believe in being the voice of the voiceless, the action for those who cannot act. And an inspiration for those who are too scared to act. We stand for something and represent it. We believe in making the world a better place overall and our actions, publications and the things that we stand for are for that specific belief.
16 RHC – How are new members selected within GhostSec? Are there ethical, technical, or geographical criteria involved?
GhostSec : There are of course ethical and technical criteria’s though nothing geographically locked.
17 RHC – Over the years, the public image of groups like yours has been shaped by articles, OSINT analysis, CTI reports, and media narratives. In many cases, the line between technical reality and public perception becomes blurred, often resulting in partial or distorted portrayals.In your opinion, what role do the media and the cybersecurity community play in shaping your public image? Do you recognize yourselves in what is being said, or do you feel the external narrative has misrepresented or manipulated your identity?
GhostSec : They share their opinions and beliefs of what is going on or on the subject they are talking about and of course they are allowed to be able to say what they feel and believe. Sometimes I feel it is correct and sometimes I feel we are being misrepresented though at the end of the day that’s how the media is it purely depends on the source and what they believe and say.
18 RHC – Thank you very much for the interview. We conduct these conversations to help our readers understand that cybersecurity is a highly technical field, and that to win the fight against cybercrime, we need to be stronger than you—who are often, as is well known, one step ahead of everyone else. Is there anything you would like to say to our readers or to potential victims of your operations?
GhostSec : To everyone reading this thank you from me personally, To those who want to take their security seriously start thinking like an attacker and actually put in the budget and take it serious don’t underestimate the attackers. To those who think it is impossible to get ahead of the curve or think it is impossible to get their goals remember, Anything you believe in is achievable as long as you chase after it, regardless of what it is!
RHC Dark Lab