Only a few years ago, the antics of hacktivists regularly populated media headlines with grand stunts and ominous threats, defacing websites, knocking global brands offline and leaking data belonging to multinational, multi-billion dollar corporations. Hacktivists styled themselves as “rebels with a cause” while media headlines typically portrayed them as juvenile script kiddies or malcontents with nothing but mischief on their minds. About the only thing both sides largely agreed on was that hacktivists were collectives acting out of some sense – either noble or misguided (delete as appropriate) – of wider purpose or shared ideology, rather than committing cybercrimes merely for the sake of selfish, financial gain like typical cybercriminals.
Today, hacktivists and hacktivism rarely make the news headlines at all. So what happened to them? Are they still a threat to organizations or has their time been and gone? In this post, we take a look at hacktivism from its origins to the present day, discuss its motivations and explain why hacktivist groups should still be on your threat assessment radar.
What is Hacktivism? Who Are These “Hacktivists”?
Merriam-Webster dictionary defines Hacktivism as “computer hacking (as by infiltration and disruption of a network or website) done to further the goals of political or social activism”.
The term “Hacktivism” was coined in the early 90s by the (in)famous hacker collective, Cult of the Dead Cow. As the word suggests, Hacktivism is a means of collective political or social activism manifest through hacking computers and networks. Hacktivism began as a sub-culture of hacking, gaming and web communities, and allowed technically-inclined individuals to use the connectivity and anonymity of the web to join together with others and operate towards common causes. As such, hacktivists were originally mostly young males who enjoyed surfing the web, visiting forums and newsgroups, sharing information on illegal download sites, chatting in “private rooms” and colluding with like-minded drifters of the net.
The net granted them the opportunity to use any alias they wanted, and using that persona they engaged in joint adventures from pursuing pornographic materials, sharing pirated copies of desired software, pranks and sometimes illegal activities – mostly aimed at “The establishment”. Some of the more widely known groups to have caught public attention connected with Hacktivism are Anonymous, Lulzsec, and the Syrian Electronic Army.
Here we come to the second trait of the hacktivists – the desire to “fight” against a common enemy. When the world became more connected, these individuals realized that they could act (with minimal personal risk) against others. But these activities (which soon became known as “Operations” or “Ops”) required more than a handful of online friends. They required an army. So the final ingredient of hacktivism was born – the “Legion”. The new narrative, created over a period of two decades, was that of an underground, faceless army fighting together as a collective to break the chains of the old world.
What Do Hacktivists Want?
One of the defining characteristics of a hacktivist group is that they are united around some ideology, principle or cause. These can range from political, religious, regional, personal and even anarchist. Perhaps the first hacktivist ‘op’ occurred back in 1989, when, according to Julian Assange, the US Department of Energy and NASA computers were penetrated by the anti-nuclear Worm Against Nuclear Killers (WANK) worm. This might have been the first recorded incident, but it was not widely reported and went mostly unnoticed by the public at large.
A later incident that occurred in 1994 received much more attention. A group of British activists protested against an “Anti-Rave” law by launching a DDoS attack against British Government websites. The protesters argued that the law was an infringement of people’s basic human rights.
The following year, Italian protesters engaged in electronic civil disobedience with the first Netstrike, a precursor to automated DDoS attacks which involved individuals repeately clicking on a government website link in an attempt to overload the server as protest, again, against nuclear weapons. At the time it was described as a form of ‘virtual protest’ as the term ‘Hacktivist’ was not widely in use.
Further hacktivist activities happened throughout the 90s and the first decade of the new millennium, but hacktivism only really achieved widespread public attention in later years of that decade.
The Rise and Fall of Anonymous
By that time, the internet was vastly different than before, in ways that made it possible for hacktivism to leave its mark. Now, major commercial activities were taking place online, governments all over the world were also offering their services online, and millions of users were populating social media sites, YouTube, Reddit, 4chan and others: these communities were all ripe for recruiting people willing to participate in collective, hacktivist campaigns.
In the early 2000s, one such collective, known as Anonymous, came to define and symbolize the hacktivist movement for a generation. Originating out of 4chan and famous for its use of the Guy Fawkes mask, Anonymous conducted high profile operations against well known “targets” such as the Church of Scientology, Amazon, PayPal, Visa, Mastercard and multiple government sites, including the CIA. Starting in 2011, Anonymous also became affiliated with political struggles such as the “Arab Spring”.
But like any global movement without any clear structure or ideology, it started to disintegrate into local factions who often fought between themselves. In addition, law-enforcement agencies stepped up their efforts to unmask and prosecute the hacktivists, leading to the arrest of some prominent members of the community, which in turn crippled Anonymous’ ability to organize and execute large-scale attacks.
If media headlines are anything to go by, it might seem that the hacktivism heyday is over. Recorded Future, which monitors hacktivist activity, recently reported that it had been tracking 28 active hacktivist groups in 2016 but now is only tracking 7 such groups.
But the headlines don’t quite paint the whole picture. Remnants of Anonymous, as well as hacktivist groups Ghost Squad Hackers, the Sudan Cyber Army and others have been active recently in political events in the Sudan and attacks on the Sudanese Ministry of Defense, for instance. Meanwhile, Anonymous also made threats against both Ecuador and the U.K. governments over the eviction of Julian Assange from Ecuador’s London embassy and his subsequent arrest in 2019. The Ecuadorian government claimed that over 40 million cyberattacks had been launched against government institutions in the wake of Assange’s eviction and arrest.
More recently, hacktivist group Lizard Squard were responsible for an attack on the U.K.’s Labour party during the country’s general election last December. The botnet-powered DDoS attack targeted the then-leader of the party, Jeremy Corbyn, as well as his party’s websites. The group promised more attacks on both government and Labour party websites should Labour win the election (something they failed to do). In the past, Lizard Squad had claimed responsibility for attacks on Sony, Microsoft XBox and even Taylor Swift, but this was its first known outing for some years. According to one report, the group may have turned to financially motivated crime in the interim, quietly building and hiring out its botnet in a DDoS-for-hire service.
More concerning is that hacktivism just might be taking a much more sinister turn right in front of our eyes. It seems that hacktivism is now being used in ‘false flag’ or covert operations, as nations exchange virtual blows without taking responsibility by means of supposedly “volunteer” hacktivist groups. For instance, in a recent skirmish between Turkish and Greek hacktivists, there were numerous DDoS attacks from both sides. However, the tenacity of the attacks hints that there might be more at play here than mere script kiddies using makeshift tools.
Following the initial attack and counter-attack (which disabled Turkey’s internet infrastructure for several hours), Turkish hackers unleashed an attack on at least 30 entities, including government ministries, embassies and security services as well as corporations in multiple locations, among them Cyprus, Greece and Iraq. According to Reuters, the target selection hints at the involvement of the Turkish government. This pattern has been utilized around the world by nations such as China, Iran, and Russia – all notorious for operating “non-official” proxies for political goals.
It is likely that hacktivist groups affiliated with certain nations will continue to flourish and may even be given tools, funds and training to allow them to operate in a semi-independent way (as long as they please their masters).
Why Should Enterprise Care About Hacktivism?
Enterprises have enough threat actors to worry about as it is, so are hacktivists really something they need to be concerned about today?
Hacktivists have been known for attacking enterprises who appeared to them as engaging in activities that were anathema to their ideology, such as Visa refusing to process donations made for Julian Assange, and subsequently being attacked in Operation Payback, as well as the aforementioned attacks on Sony and Microsoft.
More commonly, enterprises are hit as collateral damage. They can suffer from general disruptions (like nationwide internet service outages), specific denial of service attacks, defacement attacks and attempts to identify and steal sensitive information.
The rule of thumb is that enterprises and organizations who are closely affiliated with a nation (such as a national bank, or an enterprise named after the said country) are more likely to be attacked. It is true that most of these attacks can be categorized as nuisance, but even short-term website defacement can cause reputation damage, and business disruption through large-scale DDoS attacks and data leaks can even cause actual financial harm.
As the line between ‘hacktivists’ and state-sponsored APTs starts to blur, and as low cost malware and ransomware-as-a-service (RaaS) options continue to increase in availability, more serious cyber attacks from hacktivists utilising such cyber weapons should be considered as a possibility in your threat assessment. Therefore, it is a good idea to consume threat intelligence covering the latest hacktivist trends and prepare accordingly.