Cybercrime , Fraud Management & Cybercrime , Governance & Risk Management

Down and Out in Hacktivist Land

Bona Fide Hacktivism Plummets, While Nation-State False-Flag Operations Continue
Down and Out in Hacktivist Land
Photo: Frédéric Bisson, via Flickr/CC

Where have all the hacktivists gone?

See Also: The State of Organizations' Security Posture as of Q1 2018

Activism via hacking efforts in the early 2010s conducted under such banners as Anonymous, AntiSec and LulzSec made "hacktivism" a widely used term. But since 2016, the number of website hacks, defacements and information leakage - or doxing - campaigns that can be definitively traced to hacktivists has sharply declined.

From 2015 to 2018, hacktivist attacks decreased by nearly 95 percent, IBM X-Force reported in May, citing a global decline in attacks perpetrated under the banner of Anonymous and associated groups since 2016.

"Since then, attacks by Anonymous have declined significantly, possibly due to an attrition of key leadership, differences of opinion and a struggle to find an ideological focus," said Camille Singleton, an IBM X-Force intelligence analyst, in a blog post.

Cyberthreat intelligence firm Recorded Future characterizes the current state of affairs as "a return to normalcy, in which hacktivist groups are usually small sets of regional actors targeting specific organizations to protest regional events, or nation-state groups operating under the guise of hacktivism."

Source: Recorded Future

The rise and fall in hacktivism has been a long time coming. The coining of the term, as recounted in Reuters reporter Joseph Menn's recently released book, "Cult of the Dead Cow" traces to the group called CdC, which says it invented the word in 1994.

In 1998, CdC issued a press release urging "hacktivists" to use its remote access tool Back Orifice - "a crude pun on Microsoft's BackOffice software," as Menn notes - to hack into organizations that did business with China.

Hacktivism Continues

Although hacktivism incidents are now relatively rare, they still pop up. "Most recently, groups like Digital Revolution and Lab Dookhtegan infiltrated and dumped sensitive documents online belonging to Russian and Iranian state security groups, respectively," researchers from Recorded Future's Insikt research group say in a new analysis of international hacktivism trends. "However, these groups have not gone out of their way to call themselves 'hacktivists.'"

Recorded Future says it counts about 80 hacktivist groups - from Anonymous Brasil and CyberBerkut to New Romanic Army and United Cyber Calipate - as being active since 2010.

Source: Recorded Future

Despite the overall low level of current attacks, hacktivist efforts sometimes surge in response to global events. In January, for example, suspected Iranian hackers disrupted Saudi Arabian newspapers' websites after they expressed support for the government of Yemen.

"There has been an increase in hacktivism in general in the first quarter of 2019," Adam Meyers, vice president of intelligence at cybersecurity firm Crowdstrike, told Wired in May. "We did see quite a bit of geopolitically motivated hacktivism - Venezuela, Libya, Pakistan and India, Brazilian groups. They’re really on both sides of each conflict."

Hacktivist Attacks by Group

Source: X-Force Data, 2015-2018

Here's another example: Following December 2018 protests in Sudan that helped lead to the ouster in April of Omar al-Bashir, who had ruled the country for 30 years, hackers leaked a government database and targeted government sites with defacements and distributed denial-of-service attacks. CrowdStrike says three groups claimed credit for the Sudan disruptions: Ghost Squad Hackers, Sudan Cyber Army as well as the Brazil-based Pryzraky collective.

"Attacks by Anonymous have declined significantly, possibly due to an attrition of key leadership, differences of opinion and a struggle to find an ideological focus."
— Camille Singleton, IBM X-Force

"We continue to observe hacktivist activity motivated by geopolitical politics, recent activity has been observed in Iran, Brazil, and Argentina," Meyers tells Information Security Media Group. "Leaks targeting political leaders by hacktivists occurred in Brazil and Argentina recently in particular."

Hacktivists' collective ire was further stoked this year over Julian Assange. After seven years of hiding out in the Ecuadorian embassy in London, the WikiLeaks chief received the boot in April, likely due in no small part to the U.S. Department of Justice accusing WikiLeaks of being a cutout for Russian intelligence after it leaked stolen Democratic Party emails.

With his asylum protection withdrawn, Assange was immediately arrested for violating his U.K. bail conditions. Shortly thereafter, the Justice Department announced he'd been charged with one count of conspiracy to commit computer intrusion for allegedly helping former U.S. Army intelligence analyst Chelsea Manning - the source of leaked State Department cables - crack a password hash. The Trump administration is now seeking Assange's extradition.

Source: Recorded Future

But WikiLeaks - or at least Assange - still enjoys the backing of at least some members of the leaderless Anonymous collective. Assange's embassy expulsion led to Ecuadorian websites being targeted by DDoS attacks launched under the banner of Anonymous.

False-Flag Operations

Researchers say hacktivism - or supposedly patriot hackers - also continues to be used as cover for nation-state operations, especially those tied to Russia, China, Iran and North Korea. Perhaps not coincidentally, U.S. and Western European intelligence officials say those four countries pose the greatest hacking risk to governments and businesses (see: Intelligence Chiefs Expect More Cyberattacks Against US).

But it can be impossible to tell whether an individual or group is acting on its own merits or might be working for a government. Anonymous, for example, has regularly warned of "fake Anons" pretending to be part of the collective.

"Part of the allure to nation-state actors is that it is difficult to detect the difference between a nationalist hacktivist conducting actions, perhaps even in coordination with a government, and a 'true' nation-state actor," John Terbush, a senior threat intelligence researcher at Recorded Future, tells ISMG. "There is plausible deniability created by this kind of operation. That said, 'hacktivist' operations may be purely a cover, which can be seen, for example, when another government has penetrated the veil and revealed that some of these are purely nation-state actions only using the guise of hacktivism - for example, Guccifer 2.0."

The U.S. Justice Department says Guccifer 2.0 - also known as Fancy Bear and APT28 - was a front for the Russia's GRU military intelligence agency. Several GRU officers were indicted by Special Counsel Robert Mueller, accused of hacking into the Democratic National Committee and Democratic Campaign Committee (see: Analysis: VPN Fail Reveals 'Guccifer 2.0' is 'Fancy Bear').

Hacktivism as Nation-State Cover

Beyond Guccifer 2.0, there are numerous examples of how countries have used hacktivism as a cover for government operations.

  • Russia: Experts say the 2007 disruption of Estonian government systems, attributed by Moscow to patriot hackers, was in fact the work of the Russian government. Since then, Moscow has been tied to numerous supposed hacktivist attacks, including those of Guccifer 2.0. Many security experts also suspect Russia's FSB intelligence agency was behind Shadow Brokers, the shadowy group that leaked hacking tools and exploits stolen from the U.S. National Security Agency.
  • China: In China, hacktivist groups have been at work since the Green Army appeared in 2008, later to be joined by China Eagle Union and generations of the Honkers Union of China. Many of those early groups may have comprised bona fide hacktivists, but Recorded Future notes that they have since splintered, with many members likely joining the cybersecurity workforce. More recent efforts, however, such as disruptions of Vietnamese targets by 1937CN, may be part of nation-state cyber espionage efforts, Recorded Future says.
  • Iran: Iran has been accused of running the DDoS attacks against U.S. banks that began in 2011, for which a group calling itself Izz ad-Din al-Qassam Cyber Fighters took credit, saying the campaign was a reprisal for a YouTube movie trailer deemed by the group to cast Islam in a negative light. In 2016, however, the U.S. Justice Department indicted seven Iranians for the attacks, saying they were working for the the Iranian government.
  • North Korea: The 2014 wiper attacks against Sony Pictures Entertainment and leaking of emails and corporate information was carried out by hackers who claimed they were part of a group called "Guardians of Peace," acting on their own initiative to protest the movie "The Interview," a comedy that depicted the accidental assassination of dictator Kim Jong-Un. But the FBI said the malware attack and doxing campaign was carried out at North Korea's orders.

So far, researchers haven't reported seeing hacktivist attacks that they believe trace to western governments. "It is, of course, difficult to prove that these operations are not occurring," Recorded Future's Terbush says. "But we do not have much in the way of documented false-flag hacktivist operations from governments including the U.S., Great Britain and EU member states."

5 Notable Hacktivist Groups

While there have been many hacktivist efforts, some attacks - and doxing campaigns - have been much more high profile than others and tied to just a handful of groups:

  • Anonymous: In 2010, Operation Payback, organized by Anonymous, targeted financial firms that had attempted to cut off funding from WikiLeaks after the whistleblowing website released hundreds of thousands of sensitive U.S. State Department cables. That's just one of numerous operations that have been launched in the name of the decentralized collective - and its many international branches - of which anyone can say they're a member.
  • AntiSec: In February 2011, AntiSec hacked into HBGary Federal after the company's CEO, Aaron Barr, claimed he could infiltrate Anonymous. Attackers subsequently leaked tens of thousands of emails and corporate documents from the company, which together with separate firm HBGary was ultimately acquired by ManTech International in 2012.
  • LulzSec: In the summer 2011, the LulzSec crew offered "50 days of lulz," as the group's members "LOL'd" their way through numerous organizations' defenses. Most, if not all, members were subsequently arrested and all appear to now be free (see: Memoir of a Former Black Hat).
  • Impact Team: In 2015, the infidelity-focused dating site Ashley Madison was hacked by Impact Team, which leaked tens of millions of users' account details, allegedly because the site was lying about erasing previous members' profile information, even after individuals paid a $19 fee for the site to do so.
  • PhineasFisher: Also in 2015, a hacker or hackers operating under the name "PhineasFisher" hacked Milan, Italy-based surveillance software vendor Hacking Team and dumped 400 GB of corporate data. Previously, the same hackers claimed credit for hacking and leaking data from former FinFisher surveillance software vendor Gamma Group in the U.K.

One wrinkle to hacktivist attacks, however, is that it's not clear what - if any - long-term effect they might have on targets. While anti-virus firms added blocks for Hacking Team and FinFisher surveillance code, for example, both companies revamped their products, likely once again making them difficult to detect. Both remain in business.

Source: Recorded Future

Likewise, the financial services firms targeted in Operation Payback continue to do business, HBGary got sold to another firm, while Ashley Madison says its massive data breach led to copious quantities of free publicity and a surge in paid users (see: Do Data Breaches Permanently Affect Business Reputations?).


About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing careersinfosecurity.eu, you agree to our use of cookies.