Much of the malicious cyber activity we hear and read about in the news these days tends to be from actors who are focused on some form of personal gain. Whether it is ransomware gangs seeking profit or nation-state actors conducting espionage on government networks, we’ve grown accustomed to viewing malicious hackers in terms of their pursuit of concrete or material goods.
But reports of another kind of hacking, one steeped in the history of the craft and in pursuit of more abstract goals, have seemingly been popping up more and more in the news lately.
Anecdotal reports of “hacktivism” are on the rise, with 2022 witness to a notable resurgence in the space, largely sparked by the Russia-Ukraine conflict. Over a two-month period from February 18 until April 18 this year, according to recent data by Radware, more than 1,800 denial-of-service (DDoS) attacks were claimed by hacktivists across 80 Telegram channels.
More recently, the practice of hacktivism has seen a resurgence since the Russia-Ukraine conflict, with loosely affiliated groups of partisans or volunteers pitted against nation-states. Some of today’s most well-known hacktivist groups include the IT Army, a pro-Ukraine collective that attacks Russian assets; Guacamaya, which has exposed the secrets of Latin American governments and corporations; and SiegedSec, which claims to fight for abortion-rights and has struck states that have enacted bans. Then there is the notorious pro-Russian entity NoName057(16), which consistently engages in targeted DDoS campaigns across various sectors within NATO countries.
Other pro-Russian hacktivist groups include AnonymousSudan and the Wagner Group, while CyberArmyofRussia_Reborn (CARR) has been flagged by Mandiant as another notable Russian hacktivist groups observed since early 2022, conducting DDoS attacks against Ukraine. Another high-profile pro-Russian hacktivist collective is KillNet, which consistently targets the U.S. and Europe with DDoS attacks.
It may feel like these kinds of groups are becoming more common, but cybersecurity experts paint a more complex picture, telling SC Media it’s not clear whether the practice is getting more prevalent, if we are simply redefining the term or if it increasingly serves as a cover for more traditional malicious activity in cyberspace, like ransomware and cyberespionage.
Hacking has a rich activist history
Some cyber experts think hacktivism has already had its heyday, and others point out that the practice has simply been embedded in the world of hacker culture since the beginnings of the internet.
Early hacker culture in America was shaped by groups like the Texas-based organization Cult of the Dead Cow (cDc), founded in 1984, and the Boston-based collective L0pht, active through the 1990s. Both had explicit ideological views and goals; the former was known for hosting the first hacker conference, claiming responsibility for giving Ronald Reagan Alzheimer’s disease, and declaring war on Scientology, while the latter famously testified before Congress in 1998 on “Weak Computer Security in Government.” Later on, in 2011, cyberspace saw a revival of hacktivism with the targeting of state websites during the Arab Spring.
“I think the age of digital hacktivism started with the birth of the digital age itself,” said Yossi Rachman, director of security research at Semperis. “Activists with technical affinity were around during the golden era of HAM radio, during the early days of dial-up modems, later on with the arrival of the Internet and mobile phones, and of course, today.”
One thing these groups tended to have in common is that they understood how digital technology co-existed with society—at a time when almost nobody else did.
Rachman said rising reports of hacktivism today could be due, in part, to the increased global connectivity over the past three decades and the “relative ease” at which individuals with internet access can now educate themselves on offensive cyber security tools and techniques.
Kevin O’Connor, director of threat research at Adlumin, told SC Media that the rising availability of automated hacking tools has also created a lower barrier to entry that makes it easier for individuals to begin engaging in effective hacking operations.
“The low cost to enter the game, especially with commoditized hacking tools being offered by groups, means these hackers can have a disproportionate impact for their size,” O’Connor said.
A useful cover?
Clearly, some hacktivism groups pose a serious threat to society—but others see themselves as moral vigilantes, conducting ransomware attacks to force entities to make charitable donations. Hacking outfits like Anonymous—a loose collective of groups and individuals with anti-capitalist, anarchic beliefs—built their reputation by hacking governments, corporations, and religious organizations known for exploiting people.
“A common thread among all hacktivist groups is their impetus for effecting change in the world, driven by their respective agendas,” said Tom Hegel, senior threat researcher at SentinelLabs.
But Hegel noted that “it is essential to differentiate between large volunteer-based hacktivist groups and crimeware gangs with strong ideological stances, as they exhibit distinct characteristics in terms of their accomplishments, impact, targets, agendas, and capabilities.”
Groups claiming to hack for good should not be automatically taken at their word; even those that frame their work as moral missions might be using the framing as a cover for other activities and intentions.
While instances of hacktivism have indeed seemed to become more prevalent lately, some experts posit that true hacktivism has long since peaked and subsided, with reports perhaps ticking upward simply because the public has become increasingly connected through digital technologies, and are playing closer attention.
“I don’t agree with the premise that hacktivism is on the rise,” said Jacob Baines, lead vulnerability researcher at VulnCheck. “We do see a rise in ‘hacker’ groups that align themselves with Russia or Ukraine, but their activities are isolated to this arena and largely associated with DDoS activities…if you exclude the actors that are only associated with the Russia-Ukraine war, then I’d say hacktivism is dead.”
Numerous high-profile, politically motivated hacks occurred—having real-world damaging impact—from 2014 through 2018 when, Baines said, the anonymous “Phineas Phisher” led the “pinnacle of hacktivism” (several years after the creation of the practice). Phisher’s actions had “clear political motives outlined in numerous communications,” Baines said, but while Phisher’s orders called for others to follow his lead and “hack back”—no one did. “There is not even a whisper of a person or group that is active today that acts any way like Phisher did” Baines said. “Instead, what we have is bombastic groups that are labeled as ‘hacktivists’ but aren’t truly politically motivated.”
Baines is not alone in the opinion that the hacktivism space has faltered, and that what might be referred to as hacktivism today is actually cyber warfare.
Hegel said that the “prevalence of hacktivism” has become increasingly notable today as a way “to veil state-sponsored objectives.”
The future of hacktivism
Ultimately, while the public sees numerous reports of groups and campaigns referred to as “hacktivists,” much of their activity appears to fall into two categories: partisan groups aligning themselves with a particular nation and its goals, like the IT Army, and government-backed ransomware groups like SiegedSec that act as though they are conducting hacktivism as a cover for more straightforward espionage goals. It seems like the “Phineas Phishers” and L0phts of the past are on the verge of extinction.
While the age of hacktivism may no longer be at its height, we will surely continue to see instances of these newer forms of hacktivism in the near future, especially as the Russia-Ukraine conflict persists.
The increase of geopolitical instability could lead to more opportunities for activists or partisans to make their impact in the digital world.
“Politically motivated groups that desire to shape public opinion are increasingly digitally savvy, and the tactics and targets available to them online have grown,” Mandiant’s principal analyst Dan Black said.
The future of the cyber frontier could certainly be seen as bleak, one where the term “hacktivist” becomes a punchline, something less associated with groups or individuals who try to make a political difference and increasingly used to describe the paper-thin cover stories for state-backed hackers and extortionists.
“Hacktivism has provided a potent cover for state-backed activity,” said Mandiant’s Black. “By co-opting these activist identities, state actors have found a way to draw attention to their cyber operations and feign popular support for them in one fell swoop.”