Hacktivism, it’s not all DoSing around
Hacktivism isn’t all high levels of low impact activity. There were a number of hacktivist campaigns we detected in the last year that seemed to have had little to no effect on their targets at all (at least from an outside perspective) such as OpSilence, but there are some operations and actors that have had a demonstrable impact. In my opinion, you can start to gain an appreciation of the threat level posed by a hacktivist operation within the first week or so of it being announced. It all depends on what the objectives are (from an attacker’s perspective), what the targets are, who is participating and what tools they are using. There are outliers, of course, and that’s when it becomes a bit more serious.
Let’s take a look at what ingredients are most likely to constitute a low impact to the targeted sectors. I’m going to use what I consider to be a “cookie cutter” hacktivist operation as an example - OpIcarus. I know I’ve written about this before, so forgive me for repeating myself. OpIcarus started with an ambitious objective (shutting down the global financial system) and reasonably hard targets (bank websites). It was spread around social media and its participants called for denial of service attacks against domains belonging to banks and stock exchanges. It was easily accessible for low capability threat actors, who were provided with pre-made denial of service scripts to conduct their attacks. The process is shown in Figure 1.
Figure 1 – Development of OpIcarus operation
Immediately, OpIcarus participants had limited the level of impact it could create, based on the targets they had chosen and the tactics, techniques and procedures they were using. The results of 141 incidents we published are shown, broken down by severity, in Figure 2.
Figure 2 - OpIcarus incidents broken down by proportion of severity
A higher impact occurs when hacktivists start to become a bit more focused and a lot more coordinated in their efforts. As well as this, it’s largely dependent on the use of (potentially) more damaging techniques such as SQL Injection attacks, against softer targets. I’m going to use an unusual example here, OpAfrica, which was very similar to your typical hacktivist operation but had a more significant impact to some targets. The development of OpAfrica is shown in Figure 3.
Figure 3 - Development of OpAfrica operation
Most notably, the likely use of SQL Injection attacks against vulnerable websites appeared to have made this operation more damaging than its peers (shown here and here), but the reasons also included more centralized command (CyberGuerilla) and softer targets (local government websites in developing countries). Of course, the capability of some threat actors involved in the operation probably influenced the successes of this operation.
So when does hacktivism become high impact? Admittedly, it’s very rare and some might dispute applying the hacktivist tag in this instance; however, in my opinion there are some cases (such as the actor Phineas Fisher), where an ideologically motivated actor demonstrates the capability to conduct network intrusions and conduct damaging data leakage against their targets. Phineas Fisher appeared to act against companies perceived as acting unethcially, and has claimed responsibility for damaging attacks against Hacking Team in Jul 2015 and Gamma Group International UK Ltd in Aug 2014. These instances are (in my opinion) more dependent on capability and intent, rather than coordination and tools used.
While I would agree with anyone who perceives a majority of hacktivist operations and actors as having a relatively low impact as part of their activity, I think it’s important to acknowledge where distinctions can be made, particularly in relation to the capability and intent of hacktivist actors and the selection of vulnerable targets. By monitoring hacktivist activity, it’s possible to gain a better appreciation of the day-to-day claims and avoid missing something that could potentially become more damaging.