Not all cyber-attacks are financially motivated. In the modern day, an increasing number of digital attacks are carried out with the intent of delivering a message. The cyber-criminals behind such attacks — dubbed ‘hacktivists’ — are many and varied, and there are many shades of gray where their motivations are concerned.
They’re not out for money, and they can be more persistent than even the greediest hacker. Of course, if your business is unlucky enough to find itself the target of a hacktivist, the ‘why’ of an attack doesn’t matter so much as the ‘how’ of mitigating it and coming through intact. In that regard, the first step is a better understanding of what hacktivists are and how they operate.
Hacktivists Are Many
It is increasingly rare that hacktivists work alone. With the Internet and social media, it’s easier than ever for hacktivists to recruit hundreds (or even thousands) of like-minded individuals to their cause.
A lone hacktivist, if skilled enough, can be a thorn in your side. An army of them, however, can be a nightmare, creating complex security challenges for even the most seasoned security and PR teams. Through simple techniques like data dumps and malware, they can easily brute-force their way towards crippling networks and systems, destroying a business’s reputation in the process.
They Follow A Cause
The majority of hacktivist movements form as a response to a social or political act or situation. In some cases, it may not even be something that your organization is directly responsible for. A recent DDoS attack on Nissan, for example, was carried out to spread awareness about the killing of whales and dolphins in the Taiji cove, something the automotive manufacturer had no hand in.
Generally speaking, the motivation behind hacktivist attacks means that they follow a similar formula:
- The Initial Incident: Something occurs to draw the ire of the hacktivist group – an unpopular, anti-consumer decision by a business, for example, or a shift in the political climate of a region.
- The Attack: After a brief preparatory period, the hackers strike their target. On occasion, they may announce the attacks before they happen, but this is not always the case. This attack can take many forms – the defacement of digital entities, data theft, denial of service attacks, etc.
- Circulation of Propaganda: Since hacktivist attacks are meant to send a message, the groups responsible circulate materials – media, press statements, etc. – designed to elicit an emotional reaction and call attention to their objective. This propaganda is widely circulated, and often shared on multiple sites such as Facebook, YouTube, and Twitter.
- Subsequent Attacks: After distributing their media materials, the orchestrators of a hacktivist attack monitor reactions and outcomes, ready to fan the flames and execute additional attacks on an as-needed basis.
They Aren’t Careless About Privacy
In the past, many hacktivists have fallen foul of the law and been arrested due to carelessness about their digital paper trail. Modern hacktivists are a different breed. Although there still is the odd careless rube, the majority of successful movements distribute ‘new blood’ packages among their members, offering details on how they can support the group’s operations – and more importantly, how they can do so without getting caught.
They often make use of proxies, VPNs, Tor, and the Invisible Internet Project (i2p) for communication and browsing. They also make use of PGP encryption for email, and XMPP services with ORT, TorChat or Bitmessage for chat communications. Many are also now using full-disk encryption and file encryption, in addition to USBKill and other, similar tools designed to immediately wipe a system if there’s a chance it might be compromised.
Their Tools (And Attack Vectors) Tend To Be Very Similar
Depending on skill level, hacktivists may use a variety of tools – yet there are commonalities between every hacktivist group. At the basic level, point-and-click applications such as Kali and BlackArch are common, while other groups may resort to renting or purchasing botnets via stressor/booter services. At every level, two tools appear more frequently than any other: THC-SSL-DOS and Tor’s Hammer.
As its name suggests, THC-SSL focuses on SSL protocol misuse. Tor’s Hammer, meanwhile, is a bit more threatening; a Layer 7 tool that can use the Tor network to mask the attacker’s origin. The former is a low-and-slow attack, while the latter most frequently executes DoS attacks through a classic slow POST attack.
Attack vectors for hacktivists might include SQL Injection and XSS attacks targeting vulnerable web applications, either to steal data (in the case of the former) or inject client-side scripts into web pages (in the case of the latter), most frequently with the aim of creating a botnet.
They’re Here To Stay
We’ve saved the biggest revelation for last – not all hacktivists are inherently ‘bad.’ They are, in essence, the activists of the 21st century, men and women who seek to take a stand on social and political issues on a global scale. Whether or not these issues are related to wide-scale change or are important exclusively to the hacktivists is often anyone’s guess.
Finally, hacktivist groups are not a faceless collective or hive-mind. They have leaders – propagandists, perhaps, or foreign powers seeking to sow subversion amidst their enemies. The one thing they all share in common is that they all exploit a ‘gang’ mentality to build momentum and scale, feeding the desire of 21st-century citizens to feel important.
Moving forward, attacks will likely become more automated and more complex – and hence more difficult to detect and mitigate. Contact us today to help keep your environment safe and secure!