Hacktivism on the March – From Cyber Protest to Cyber Warfare
Since 2022 reports of “hacktivism” have been spiking marking a notable resurgence in this type of attack. The reemergence of hacktivism is largely driven by the Russia-Ukraine conflict and the war in Gaza. Over a two-month period between February and April 2023, more than 1,800 denial-of-service (DDoS) attacks were claimed by hacktivists across 80 Telegram channels according to recent data by cloud security firm Radware.
“Wasn’t hacktivism something that fizzled out with the Anonymous hacker collective in the 2010s” you may be asking? The answer is, this type of information systems attack was never really neutralized and, though this vector may have dropped in frequency for myriad reasons, in 2024 it’s back with a vengeance! This time, these attacks are driven to a much larger extent by less altruistic motivations.
According to internet historians, hacktivism – defined as the use of computer-based techniques such as hacking as a form of civil disobedience to promote a political agenda or social change – enjoyed its heyday in the early years of the 21st century. This somewhat more principled type of hacking reached a peak in the middle of the 2010s before trailing off in both frequency and efficacy.
Yet, like any innovation that starts out with worthy or noble intentions, hacktivism seems to be enjoying a renaissance today. But, the new strains of hacktivism are driven by darker, more menacing forces and in pursuit of often less-than-honorable geopolitical goals.
As is often the case with information technology, innovations occur with such speed and volume that it can be difficult for individuals and organizations (to say nothing of governmental regulations) to keep pace. Many today are still coming to terms with how to protect themselves against hacktivism 1.0. Most are not aware of how the resurgent hacktivism 2.0 differs from earlier iterations. Or how to guard against being victimized.
This paper explores and explains how hacktivism began, how it has evolved and what it means today. At every juncture, the document will offer insights into how external data privacy factors into the equation and how to manage EDP to harden defenses against all types of hacktivism attacks as well as cyber warfare masquerading as hacktivism (which has become the defining feature of such attacks in 2024).
The Origins of Hacktivism
“We are now seeing a tendency toward a shift in the center of gravity away from traditional methods of force and means of combat toward non- traditional methods, including information. Their impact is imperceptible and appears gradually. It is less burdensome economically and is not dangerous ecologically. . . Thus today information and information technologies are becoming a real weapon. A weapon not just in a metaphoric sense but in a direct sense as well.”
The above quote comes from a 1996 issue of The US Army War College Quarterly, Parameters, a refereed forum for contemporary strategy issues, furthering the education and professional development of senior military officers and members of government and academia concerned with national security affairs.
Military leaders since the days of Sun Tzu have understood the strategic value of information and how its manipulation could deliver significant advantage both on and off the battlefield. But it wasn’t until the 1980s and 1990s, when the internet began its inevitable march toward becoming the dominant vehicle for all global information management, that the threat of information warfare came to the forefront of military and intelligence agencies. It took several decades more for the internet to become so ubiquitous that it touched literally every facet of life for humanity on every continent.
By the turn of the 21st century, humans were routinely using the internet for every kind of pursuit. From business and commerce to the arts and sciences; from systems of governance to those of faith and worship; from political campaigning to promotion of causes, outreach and advocacy. So, it was to no one’s surprise that humanity, grown comfortable with the new interconnected paradigms of information systems, would find ways to move civil disobedience from the streets into cyberspace. It was also unsurprising when, by the turn of the century, people motivated by religious fervor or radicalized political ideologies seized upon strategies that would fuse “hacking” of information systems with social activism spawning the rise of “hacktivism”.
Hacktivism’s Early Days of Nobility
Early hacktivists were originally driven largely by moral vigilantism, anarchism, anti-capitalism and other movements seeking to change social agendas using effective but non-violent means. These attacks on information systems were the cyber equivalent of blocking the entry to bridges and ports or clinic doors as a form of protest, or the campus “sit ins” of the Viet Nam War era. They were undertaken to interrupt and bring awareness to the injustices (real or perceived) being perpetrated by organizations like governments and corporations.
Early examples of hacktivism largely relied on distributed denial of service (DDoS) attacks as their primary means of logging protest. Not data breaches per se. There was no intention to extort ransoms or steal PII for profit. Rather, DDoS attacks simply flooded the web sites and applications of target organizations with traffic volumes sufficient to grind the sites/apps of a target organization to a screeching halt. Such interruptions got the attention of the intended targets. They also usually made the news, garnering public attention (if not support) for the activists’ cause.
Examples of early players in the realm of hacktivism include the Cult of the Dead Cow (cDc) founded in 1984 in Texas to stymie President Ronald Reagan’s conservative agenda. In 1991 the group began distributing copyrighted music on cassette tapes through the mail as a protest against the recording industry’s perceived greed. By 1995, the cDc began an anti- Scientology campaign, with the dubious claim that Scientology founder, L. Ron Hubbard was actually infamous Nazi Heinrich Himmler intent on establishing a new fascist order under the guise of the emerging religion. By today’s standards, the actions of cDc may seem quaint.
Active in 90s, the “L0pht” hackers group from Boston, testified to Congress on Weak Computer Security in Government in 1998, claiming they could “shut down the entire internet in 30 minutes”. Their rather noble goals included the successful development of the first viable hackerspace in the US, and the origination of the vulnerability disclosure model known as responsible disclosure which is still the standard used today by organizations victimized by data breach. Again, this type of action was more intended to effectuate affirmative change than to enrich its perpetrators at the expense of its victims.
Following the lead of these early examples, other ideologically motivated groups began to embrace this tactic for what could be described as moralistic reasons.
Anonymous
One of the most prolific and high-profile hacktivist groups, a loosely organized and decentralized, international group of anarchists calling themselves “Anonymous” began to make waves in the infosec world in the early 2000s. In the mold of ethical activism, this hacktivist group rose to global prominence by mounting attacks against a number of governments, government agencies and corporations (and once again the Church of Scientology) which they claimed were acting unjustly to the detriment of humanity.
With a knack for manipulating mass media, the Anonymous collective soon became a household name. Without any unifying credo or defined organizational structure, the group nevertheless developed a reputation for their opposition to censorship and governmental or corporate control of information.
Supporters of Anonymous consider them to be “digital Robin Hoods” and “freedom fighters”. Detractors describe them as “digital lynch mobs” and “cyber terrorists”. Due to their decentralized structure and lack of any single leader with any articulated goals and objectives, the activities of Anonymous have, at times, lived up to both these sets of descriptions.
The group for example was effective at drawing attention to the very real plight of the oppressed during the “Arab Spring” uprisings in 2010. They were instrumental in calling out the widening income disparity between the wealthy and poor during the “Occupy Wall Street” movement in 2011.
But they also engaged in more dubious hacking activity like their repeated attacks on Scientology using DDoS and Google bombing in 2008, the defacing of websites and doxxing of the “Support Online Hip Hop” organization (for unclear reasons).
In 2009 Anonymous set up websites to coordinate against internet censorship during the Iranian presidential elections, supporting the Iranian Green Movement. That year they also perpetrated a DDoS attack against the prime minister of Australia who had proposed a plan to filter the internet.
In 2010, the Anonymous collective took aim at censorship exposed by the Wikileaks scandal and the treatment of whistleblower Chelsea Manning. They attacked websites of the Tunisian and Zimbabwean governments and threatened to disrupt activities at Marine Corps Brig, Quantico by cyber-attacking communications and expose private information of personnel.
Other targets of Anonymous’ hacktivism in 2010, 2011 included groups and individuals the hacker collective deemed to be immoral or oppressive such as:
- Financial institutions like Bank of America, MasterCard, Visa and others
- The astroturf right wing political organization “Tea Party of Oregon”
- Sarah Palin a republican candidate for Vice President
- Fine Gael (the Irish political party)
- The virulently homophobic Westboro Baptist Church
- The National Police Corps of Spain
- The Malaysian Government
- Universal Orlando Resort
- Bay Area Rapid Transit (BART)
- The Central Intelligence Agency
- American Israeli Public Affairs Committee (AIPAC)
- The Syrian Government
- Monsanto
- Many others
Following the period of 2010-2012, Anonymous continued – in its diffuse and uncorrelated fashion – to level cyberattacks and hacktivist interruptions for years.
The size and scope of the Anonymous activity could rightly be credited with spawning many other hacktivist groups to embrace these tactics. In a 2012 Boston University Law Review article, “Investing in a Centralized Cybersecurity Infrastructure: Why Hacktivism Can and Should Influence Cybersecurity Reform”, author Brian Kelly describes what differentiated Anonymous from prior Hacktivist groups. The three factors Kelly identified were:
(1) an unrelenting moral stance on issues and rights, regardless of direct provocation;
(2) a physical presence that accompanies online hacking activity; and
(3) a distinctive brand
Ultimately, it was the absence of any solid objective or governing command and control that led to Anonymous’ decline as a threat. However, those who learned these techniques from watching Anonymous began to apply them in more self-serving and criminally-motivated ways.
Ashley Madison
By 2015, Anonymous had faded into the background, but the genie was out of the bottle. Many other groups sprouted up to use hacktivist strategies to advance their respective agendas. Whether the cause célèbres were pro-life groups seeking to outlaw abortion, LGTBQ advocates seeking equality under the law, environmentalists fomenting uprisings in the name of ecological degradation or any of the myriad causes to which one might adhere, hacktivism became a viable model for generating protest and visibility.
Hackers seeking to make a statement had evolved to understand the value – both in monetary and motivational terms – of threatening if not outright stealing/selling the personally identifiable information (PII) of individuals stored within secure online systems.
In this famous and salacious 2015 case, activist motivations (to protest the wanton flouting of marital fidelity) and financial extortion came together as never before.
In July of that year, an unknown person or group calling itself “The Impact Team” infiltrated and seized the web services and databases of AshleyMadison.com. Ashley Madison was an online business dedicated to arranging supposedly discreet extramarital affairs – a business model that was widely regarded as scandalous and which promoted patently immoral activity. The hacker(s) gave the company’s management thirty days to take down the wildly profitable site with more than 30 million subscribers worldwide. If the site was not taken down, the hackers promised to release the more than sixty gigabytes of data they had exfiltrated from the company’s breached databases. This data was to include site users’ personal information including names, addresses, search histories and credit card transaction records. Many of the sites’ users were public figures and many more were just regular people. But all were subject to public shaming and damaged/destroyed marriages, families and careers should the information be released publicly.
Sadly, Ashley Madison management chose to disregard the threat, and in August 2015 all 60 gigabytes of stolen data was indeed released. The fallout was catastrophic, prompting numerous suicides and destroying thousands of professional and personal relationships – ruining countless reputations.
While the identity/identities of “The Impact Team” has never been determined, the damage to both the company and its millions of customers was monumental. Theories abound about the motivation of the Hacktivists behind the Ashley Madison event. Some suggest it was a religious group taking extreme steps to quash what they viewed as an egregiously immoral business. Others suspect it was an “inside job” perpetrated by a disgruntled former employee. Others point to a spurned spouse who found her partner’s infidelity began with visits to the site.
Regardless, the incident certainly illustrates how damaging this type of attack can be to a large organization. Both from a financial and reputational standpoint. More importantly, it illustrated to hackers that PII was a most valuable commodity.
Hacktivism’s Return
After reaching a peak in the 2010s, instances of Hacktivism dropped sharply for any number of reasons. Not least of which was the growth of new and more mercenary hacking activities less focused on principle and more on monetary gain.
Perhaps hackers decided that by deploying ransomware or stealing personal data to sell to thieves on the dark web delivered as much pain and suffering to the targets of their ire than simply disrupting site traffic. Or perhaps the more principled hackers simply fell away but the methodologies they left behind were taken up by the next generation of hackers more interested in financial gain than making grand statements of conscience. Whatever the reason behind the shift, the number of malware attacks boomed.
Annual number of malware attacks worldwide from 2015 to 2023
As the chart from Statista illustrates, the number of malware attacks – including ransomware, spyware, bots, viruses of all varieties, keyloggers etc. – rose precipitously in 2015 and over the ensuing five years. It was this half-decade during which hacktivism seems to have been supplanted by more prosaic forms of cybercrime. At the same time, cybercrime became intertwined with cyber warfare as threat actors began exploiting theft of PII to not only advance their political or cause-driven goals but also to fund their movements.
Between 2015 and 2020, hackers perfected strategies more in line with criminality than activism. Social engineering tactics like Phishing, By the numbers, beginning in 2020, Hacktivism came roaring back. And this new wave of attacks were and continue to be far more sinister in their origins.
This resurgence driven by geopolitical factors spawned many new hacktivist groups no longer moral warriors – rather state sponsored groups pursuing political outcomes using cyber warfare – calling it hacktivism. The new goals included election interference, scrambling battlefield logistics, and exacting costly tolls on their enemies.
Contemporary Hacktivism
“One man’s terrorist is another man’s freedom fighter”. This quote attributed to British thriller novel author, Gerald Seymour is notable because it perfectly condenses the blurred lines between today’s hacktivism which is partly criminal and partly cause-driven. For those hacker groups solely interested in monetary gain, the term “hacktivism” provides a convenient cover for their criminal activity. However, by and large, today’s new wave of hacktivists are motivated by political and/or religious views. Whether they are deemed terrorists or freedom fighters is largely in the eyes of the beholder (or victim).
From 2023 through the present, a large number of instances of hacktivism originated as a response to the war in Ukraine. As hacktivism surged in the immediate wake of Russia’s invasion of Ukraine, Wired magazine wrote in an article titled, Hacktivism is Back and Messier than Ever,
“Russia’s invasion of Ukraine in February prompted a surge in hacktivism activity. Legacy hacktivist collective Anonymous was revitalized, but new groups were also formed. Ukraine’s unprecedented IT Army, a volunteer group of hackers from around the world, has continuously launched DDoS attacks against Russian targets that are outlined in its Telegram group. In June, a speech by Vladimir Putin was delayed after a cyberattack. Other hacktivist-linked groups have run huge hack-and-leak operations against Russian entities, resulting in hundreds of gigabytes of data from Russia being published online.”
Many of the current crop of threat actors are pro-Russia and anti-western democracy. It is very likely that many of them are sponsored by the Russian government and other governments aligned geopolitically with Russia, such as Iran, China and North Korea. As Ukraine seeks to join NATO and align itself with western allies, Russian hacktivists are keen on targeting European nations which they see as part of the NATO alliance standing against their invasion of a sovereign Ukraine.
The chart below from European cyber defense company, Orange Cyberdefense confirms the extent to which current geopolitical conflicts are driving the increased attacks. With the exception of the Anonymous Sudan group which is active in targeting Israel as a response to military actions in Gaza, the majority of activity illustrated in this data set is a response to western support for Ukraine.
Some of the most prolific hacktivist groups active today are Russian sponsored or at least aligned with Russian military interests. Here are a small handful of well-known hacktivist groups that meet this criteria:
- NoName057 – Russian group targeting NATO countries
- Anonymous Sudan – Russian
- The Wagner Group – Russian
- CyberArmyofRussia_Reborn – Russia
- KillNet – Russian
The Wagner Group is indeed a well-known Russian paramilitary organization providing mercenary soldier to the front lines of this conflict. KillNet and CyberArmy are similarly involved directly with Russian military intelligence, illustrating the extent to which hacking attacks have become a regular feature of military operations.
For its part, the pro-Ukraine group “The IT Army” is a crowd sourced consortium of hackers from Ukraine, working together to undermine Russian aggression against their populace. This group uses the same DDoS attacks as well as system intrusions to gather intelligence data as well as to find PII and context clues used to bypass cybersecurity via social engineering.
Lesser publicized geopolitical conflicts are also fueling the current rise in hacktivism according to cybersecurity expert Dan Lohrmann of Government Technology. Lohrmann writes, “DragonForce Malaysia, a hacktivist operation targeting Middle Eastern organizations in 2021, made a return in 2022. Its recent campaigns were political responses to national events. OpsBedil Reloaded occurred following events in Israel, and OpsPatuk was launched in reaction to public comments made by a high-profile political figure in India. Major information and communication networks in the Philippines, including CNN, news network ABS-CBN, Rappler, and VERA Files, were the target of DDoS attacks in connection with the country’s 2022 general elections.” Clearly, the methodology has been adopted by threat actors everywhere.
In an example from another hemisphere, Guacamaya, a recently emerged hacktivist group purports to expose corruption between Latin American governments and corporations. It has put Latin American governments on notice that it plans to expose state secrets, business dealings and the intimate details of whatever else the group deems corrupt. In a statement sent via email to CyberScoop the group said it would expose, “Anything that represents oppressive states, multinational corporations and, in short, anything that supports this system of death,”
While the ends may seem motivated by principle, many of these groups are financing their actions by stealing PII data to sell on the dark web and by extracting ransoms. Even among those funded by foreign governments, in the absence of any significant oversight, hackers working in these groups are known to “freelance” – stealing and selling data and IP obtained incidentally during these operations.
The Role of External Data Security in Combating Hacktivism
Ideological biases aside, as an information security professional, it is your duty to protect your organization from being victimized by hacktivist attacks. Whether you serve an organization that delivers reproductive care, manufactures firearms, administers governmental agencies, produces energy, paper products, agriculture, technology or any other type of product/service, there is likely a group at odds with your operation. Hacktivists can be motivated by religious objections to social mores, anti-gun sentiment, extremist political views, radical environmentalism, or any number of other beliefs. Whether you regard any particular group as a freedom fighter or a terrorist organization and whether your organization is considered either of these things by its adversaries is beside the point.
The question facing you as a professional is, “how to protect your organization from being victimized by the rising threat of hacktivism?” Regardless of the validity of the hacker’s criticism. It is also important to be able to protect your organization against attacks by hackers hiding behind the designation of activism.
The two charts below, from the 2024 Verizon Data Breach Investigation Report (DBIR) illustrate the patterns of incidents over time from 2018 to present and the patterns of breaches over a similar period. In the first of the two we can clearly see the outsized role of DDoS incidents which, as we’ve established, is the hallmark of hacktivist attacks. Notable in the second chart are the increased levels of systems intrusions and social engineering attacks.
DBIR writes, “As you can see, System Intrusion continues to be the top pattern from a breach perspective (as opposed to incidents, where DoS attacks are still king). Both the Social Engineering and Miscellaneous Errors patterns have risen appreciably… since last year.”
DDoS attacks are executed largely by the injection of malware onto secure networks – a process increasingly accomplished using stolen PII to craft social engineering schemes to easily bypass traditional cybersecurity measures. As Privacy Bee for Business has established on many occasions, all information security functions must exist under one blanket strategy for any of the individual facets to succeed. Security is not a series of disparate practices, tools and functions to be managed separately by different segments of the business operation. Rather it is an integrated security ecosystem, and it begins and ends with data privacy. Network security and physical security – no matter how hardened and robust – are easily circumvented by weak or non-existent protection of external data privacy. This fact explains the rising epidemic of social engineering attacks presently affecting organizations of all sizes and compositions.
Read our White Paper, Cyber Security Isn’t Enough – The Information Security Ecosystem Dies Without External Data Privacy for details on unifying strategies to protect the cybersecurity and data privacy ecosystem. The strategy it articulates is essential to guarding against hacktivist attacks.
For additional insight into the extent to which cybercriminals and state sponsored threat actors are becoming less distinguishable read the White Paper, The Blurring Lines Between State Sponsored Threat Actors and Cyber Criminals.
Then, reach out to Privacy Bee for Business to learn more about how to immediately begin managing the unsecured external data privacy that renders your organization highly vulnerable to attacks by hacktivist groups worldwide.
