Hacktivism surged back into mainstream consciousness with Russia’s invasion of Ukraine in February 2022. Less than two years later, politically-motivated groups and individuals were out in force again, this time ostensibly to make their point amid the Israel-Hamas conflict. Worryingly, hacktivists have been spotted using increasingly sophisticated and aggressive tactics to bring their agendas to public attention.
Perhaps even more disconcerting is the likelihood that many groups are, in fact, either backed by, or even consist of, nation-state actors. Indeed, the lines between state-sponsored cyber operations and traditional hacktivism have become fuzzy. In a world increasingly characterized by geopolitical instability and an erosion of the old rules-based order, organizations, especially those operating in critical infrastructure, should consider building the hacktivist threat into their risk modelling.
What’s new in hacktivism?
At its most basic, hacktivism is the act of launching cyberattacks for political or social reasons. As an indication of the seriousness with which it is now viewed, the Red Cross last year issued eight rules for “civilian hackers” operating during wartime, all while noting that hacktivists are increasingly causing disruption to non-military targets such as hospitals, pharmacies and banks.
READ ALSO: ESET APT Activity Report Q4 2023–Q1 2024
Predictably, there’s been little sign of hacktivists adhering to the guidelines issued by the Red Cross. Indeed, with attribution still difficult online, the pros of engaging in hacktivist activity still largely outweigh the cons – especially if attacks are secretly backed by nation states.
The old and the new
The current Israel-Hamas conflict has drawn unprecedented numbers of activists onto streets around the world. And, in lockstep, it has led to a surge in online activity. Much of this is similar to the tactics we’ve seen in previous hacktivist campaigns, including:
- DDoS attacks: According to some sources, hacktivist-driven DDoS activity last year peaked in October at “record levels, following the conflict between Israel and Hamas.” This made Israel the country most targeted by hacktivists; with 1,480 DDoS attacks recorded in 2023, including some big-name organizations.
- Web defacement: Over 100 hacktivists launched over 500 web defacement attacks on Israeli websites in the week following the October 7 raids, according to Cambridge University researchers. Similar low-level web defacements continue to this day.
- Stolen data: Some groups claimed to have stolen and published data from Israel and allied organizations. In other words, hacktivists can infiltrate corporate systems to pilfer sensitive information before releasing it publicly to embarrass or harm the target.
However, there are also signs that hacktivism is becoming more targeted and sophisticated:
- One report suggested hacktivist group AnonGhost exploited an API vulnerability in the “Red Alert” app, which provides real-time missile alerts for Israeli citizens. The group “successfully intercepted requests, exposed vulnerable servers and APIs, and employed Python scripts to send spam messages to some users of the app,” it noted. The group even managed to send fake messages to civilians about a nuclear bomb.
- Other reports noted that hacktivist had posted screenshots indicating they had access to Israeli water systems’ SCADA devices. The researchers were unable to verify these claims, but suggested that hacktivists may have been conducting reconnaissance operations targeting the sector.
When nation states get involved
Hacktivists with more advanced technical know-how and/or access to tools and knowledge on the cybercrime underground may have been behind the latter attacks. However, nation state backing can’t be ruled out. Many countries have geopolitical and ideological reasons to attack other countries and their allies under the camouflage of hacktivism.
In fact, suspected Russia-affiliated groups seem to have a long history of doing so, including under the Anonymous Sudan moniker, which has taken down many targets in the West. The group claimed the attack on The Jerusalem Post and several others targeting industrial control systems (ICS), including the Israeli Global Navigational Satellite Systems, Building Automation and Control Networks and Modbus ICS. Another pro-Russian group, Killnet, claimed to have taken down an Israeli government website and the website of security agency Shin Bet.
While these attacks are notably high profile, there are hints of more insidious state-backed efforts masquerading as hacktivism. Disinformation efforts include the use of AI-generated images purporting to show missile strikes, tanks rolling through ruined neighborhoods, or families combing through rubble for survivors.
The focus here is to generate images that create a strong emotional reaction – such as one of a baby crying amidst bomb wreckage, which went viral late last year. Fake social media and Telegram accounts amplify the disinformation. In one case, X owner Elon Musk apparently promoted a post from a faked account that was viewed 11 million times before deleting it.
Security researchers have observed suspiciously coordinated activity following the Hamas attack – possibly suggesting state involvement. One study claimed at least 30 hacktivist groups immediately pivoted activity to the conflict within 48 hours.
How organizations can manage hacktivist risks
In many ways, whether the hacktivist threat comes from genuine groups, those aligned with state interests or covert nation state operatives themselves, the threat remains the same. Such groups are increasingly targeting private sector organizations with the audacity to speak out on political sensitive issues. In some cases, they may do so simply if there is a perception that the organization is aligned to one side or another. Or as a smokescreen for more shadowy nation state goals.
Whatever the rationale, organizations can follow these basic high-level steps to mitigate the hacktivist risk:
- Ask the right questions: Are we a target? What assets are at risk? What is the extent of our attack surface? Are existing measures enough to mitigate hacktivist risk? This is where a thorough cyber-risk assessment of externally facing infrastructure can help.
- Plug any gaps revealed by such an assessment, including vulnerabilities or misconfigurations – ideally this should be done in a continuous and automated manner.
- Ensure assets are protected from threats at an email, endpoint, network and hybrid cloud layer and continuously monitor for threats with XDR/MDR tools.
- Enhance identity and access management with zero trust architecture and multi-factor authentication (MFA) and and keep an eye out for suspicious data access patterns.
- Use threat intelligence to gather, analyze, and act on information about current and emerging threats.
- Apply robust encryption, both at rest and in transit, to protect sensitive data from being read or modified by unauthorized parties.
- Run continuous employee education and awareness training programs.
- Partner with a trusted third-party for DDoS mitigation.
- Build and test a comprehensive incident response plan.
Hacktivism is nothing new. But the increasingly blurred lines between ideologically/politically motivated groups and government interests makes it a more potent threat. It may be time to rethink your risk management planning.