Back in hack

THE LONG READ Hacktivism – a topic brought to the fore a decade ago, thanks to the antics of Anonymous and LulzSec – has seemingly been in decline for years, but it may be re-emerging as a tool of governments.

Groups with the trappings of hacktivism have recently dumped Russian and Iranian state security organization records online, according to Recorded Future. The threat intel firm has used these instances as a jump off point to take stock of the whole hacktivist phenomenon.

Tinker, tailor, hacktivist, spy

Insikt Group, the research arm of Recorded Future, used reports of historical hacktivist-driven events to analyze the shifting targets and players in the hacktivism space in 2019.

Hacktivism often conjures up images of a loose collective of geographically spread individuals that band together to achieve a common goal. Such assumptions are misleading, according to Insikt.

In reality, the hacktivist landscape has long featured actors reacting to regional events alongside states operating under the guise of hacktivism to achieve geopolitical goals.

Citizen hacktivism in decline

The number of “large-scale, international hacking operations” most commonly associated with hacktivism tapered off dramatically over the last 10 years, only to fall off just as dramatically after 2015 and 2016, according to Recorded Future.

Part of the reason for a decline in successfully hacktivist operations might be that, while corporate defenses have improved over the years, the attack vectors, tools, and techniques used by hacktivist groups has remained largely unchanged since 2010.

Typical hacktivist tactics include phishing, credential theft, website compromise, and running DDoS attacks.

“Improvements over the past decade in the defensive posture of large financial institutions, government agencies, and other popular hacktivist targets have likely rendered the use of unskilled volunteers less effective,” Recorded Future said.

Arrests and prosecutions against members of Anonymous, LulzSec, and others may also have had a deterrent effect – reducing the number of people tempted to resort to hacktivism as a means of political or social protest.

In general, hacktivist activity is declining, with a move away from broad public participation and back towards its origins as a practice of smaller groups of dedicated individuals.

Even while mainstream hacktivist activity has declined, nation-state entities have “increasingly used hacktivism in association with strategic campaigns, by coordinating with legitimate hacktivists of like mind, and false-flag operations made to appear as unassociated, independent hacktivist activity,” according to the threat intelligence firm.

Priscilla Moriuchi, director of strategic threat development at Recorded Future, told The Daily Swig that nation-states tend to use many of the same tactics as “citizen hacktivists” but with a twist.

Differentiating between nation-states posing as hacktivists and genuine grassroots protest movement therefore becomes a question of judgement.

“Over the last couple years, DDoS attack has become a tactic that is infrequently utilized by nation-states,” Moriuchi explained. “Phishing, credential theft, and more, are tactics widely used by both criminals and nation-states as well as hacktivists.

“The wide-availability of quality commodity malware and tools means these techniques can be used by anyone with even rudimentary skills.

“Further, nation-states have also begun to use these commodity tools in attempts to ‘blend in with the noise’ and make attribution of their operations more difficult,” she added.


Multiple threat actors such as Guccifer 2.0 (linked to the alleged 2018 US presidential election hack), Lazarus Group (Sony, WannaCry – allegedly North Korea), and the Shadow Brokers (leaked NSA-sourced tools – allegedly Russia again) have “conducted cyber operations claiming to be hacktivists, only to be revealed or suspected as groups operating for or connected to nation-states”, Recorded Future said.

Most recently, groups like Digital Revolution and Lab Dookhtegan infiltrated and dumped sensitive documents online that allegedly belonged to Russian and Iranian state security groups, respectively. “However, these groups have not gone out of their way to call themselves ‘hacktivists’,” Recorded Future notes.

From Cairo to Canton

The Arab Spring of anti-government protests against in North Africa and the Middle East a decade ago were accompanied by hacktivist activity by the likes of Anonymous.

The ongoing protests in Hong Kong are not thought to have been accompanied by significant online protests by activists, although they have been accompanied by Chinese information warfare campaigns using social media.

These non-too-subtle efforts have led to Twitter’s decision to ban more than 900 accounts blamed for attempts to spread fake news. Facebook has also blocked accounts blamed for spreading misinformation about Hong Kong.

Moriuchi, former head of the NSA’s East Asia and Pacific cyber threats office, commented: “We do not believe these accounts suspended by Twitter and Facebook were actually part of a true hacktivism campaign. Twitter stated this activity was a ‘coordinated state-backed operation,’ which is instead categorized as an influence or disinformation operation.

“While some hacktivists are certainly motivated by patriotism and defense of their country, this activity as described by Twitter falls far outside of that hacktivism realm.”

She added: “If Twitter’s assessment is accurate, then this activity is a state-run influence campaign designed to distort the facts and co-opt the narrative around the Hong Kong protests. These are not simply motivated Chinese patriots, but inauthentic accounts promoting false facts and narratives with the goal of distorting the narrative on the Hong Kong protests.”

The latest interference has its precedents. For example, five years ago a series of DDoS attacks against the Hong Kong’s then nascent pro-democracy movement were blamed on “patriotic hackers” loyal to China.

Organic hacktivism

China’s first hacktivists were patriotic, initially angered by anti-Chinese riots in Indonesia. Groups such as the Green Army, China Eagle Union, and Hongke (or Honker) Union emerged from online pro-China bulletin boards.

These groups all contributed to early internet defacements, DDoS attacks, and credential thefts targeting the US and other Chinese adversaries.

“All of these initial groups have since splintered, shut themselves down, or integrated into China’s rapidly growing cybersecurity industry,” Recorded Future explains.

“More recent Chinese hacktivism events, such as 1937CN’s politically motivated attack on Vietnamese targets, were tenuously linked to wider, possibly state-sponsored cyberespionage campaigns. Anti-Chinese hacktivists exist in China’s borders as well,” it added.

Elsewhere while politically motivated cyber campaigns have emerged from Russia, most of Russia’s “grassroots” hacktivist organizations or operations have been associated with Russian intelligence organizations or have been linked to Russian government support.

Looking further afield, various groups of people directly employed by state governments, like Iran’s Al Qassam Cyber Fighters and the Syrian Electronic Army, have “cooperated with other, more organic hacktivist groups to participate in hacktivist operations that are in line with state goals”.

Future imperfect

“We assess that hacktivism as a technique will persist and will be conducted by more motivated and often more capable actors,” Recorded Future concludes. “Non-state sponsored volunteer hacktivist groups in the future may also consist of more dedicated and skilled members.

“With an increase in operations from nation-states involving coordinated campaigns with hacktivists of like mind or government operators acting as hacktivists, the use of advanced techniques and more persistent activity may be expected from purported hacktivists,” it warns.

The target audience for Recorded Future’s research includes security practitioners whose enterprises may be targets for hacktivism.

Government agencies and enterprises involved in regional flashpoints such as the Middle East, in politically sensitive endeavors, or in sectors including finance and the defense are the typical targets of hacktivist action.

Other critical sectors (such as healthcare, information technology, transportation, and energy) may also find themselves targets of opposing nationalist and militant hacktivists, Recorded Future warns.

YOU MAY ALSO LIKE Cybercrime pathways: Why do hackers turn to the dark side?