Network Security, Threat Management

Divisive political climate stirs up hacktivist activity, and businesses are not immune

COLUMBUS, UNITED STATES – 2020/07/18: Anti-Mask protesters collide with Black Lives Matter counter-protesters during an ‘Anti-Mask’ rally, Black Lives Matter protest at Ohio Statehouse.
Over 200 people gathered at the Ohio State House to protest against the face mask mandate that multiple counties are under in the state. (Photo by...

As the 2020 presidential election nears, the U.S. populace is as divided as it has been in a long time – and the tempestuous climate could lead to a surge in activity among hacktivists seeking to make a statement.

Just this week, Reuters reported that hackers are testing the defenses of President Donald Trump’s campaign and business websites, possibly as a precursor to a future attack intended to take the sites offline. Access to several sites was reportedly already disrupted for short bursts of time from March 15 through June 6.

But this could just be the start of a wave of new hacktivism incidents that sabotage the websites or networks of political bodies, and perhaps businesses that take a controversial political stance.

“Given the current climate in the U.S. and the amount of activism going on, I think it's fair to assume that hacktivism activity would parallel community-level activities, since the web is just an extension of activities in real life,” said Michael Kaiser, president and CEO of Defending Digital Campaigns, and former executive director of the National Cyber Security Alliance. “I fully expect disrupting a campaign, person or organization viewed as an opponent -- in order to convey a message or do greater harm -- would be part of the hacktivism playbook.”

Earlier this summer, the decentralized hacker group Anonymous claimed a cyberattack on an Atlanta police department website, stating that the act was retaliation for the June 12 fatal police shooting of Rayshard Brooks. And on May 30, the websites of the city of Minneapolis and its police department also reportedly suffered outages caused by an online adversary after the death of George Floyd at the hands of the Minneapolis police.

Meanwhile, Cloudflare in June reported that anti-racism advocacy organizations saw attacks against their websites increase of 1,120 times during the weekend of May 30 and 31, following the Floyd incident. “In fact, those groups went from having almost no attacks at all in April, to attacks peaking at 20,000 requests per second on a single site,” Cloudflare stated in a company blog post.

SC Media asked several cyber experts whether such events portend a significant increase in hacktivist activity in the coming months, and what website and network defenses they would recommend to repel any potential attacks.

“Hacktivism… is one of the tactics of modern popular political activism and in a time when popular movements are gaining in activity – particularly in relation to climate change activism, Black Lives Matter protests and anti-authoritarian protests. It would be no surprise to see a surge in hacktivist actions,” said Tim Jordan, professor of digital cultures at University College London and author of the book “Hacktivism and Cyberwars: Rebels with a Cause?”

Threat researchers suggest that local election websites could be a top target, as could law enforcement, particularly as Anonymous resurfaces after a few-year hiatus.

But what about corporate entities? Could they be targeted as well if they take a stance on a divisive political issue or endorse one of the presidential candidates? Hacktivists operate on both the left and right side of the spectrum, so whichever way a corporate entity leans, they could potentially incite a hacktivist to act.

Currently, “I haven't seen any intelligence of threats of this nature,” said Kaiser. However, “targeting a company is clearly a well-used tactic in social change movements. Given the divided nature of our current social environment, companies or company leadership could be targeted. Corporate leaders that are outspoken about candidates or issues face personal attacks online.”

“Hacktivists have a long history of targeting private organizations and companies linked to certain causes or controversial issues,” said Recorded Future’s Insikt Group. “As a result, should hacktivism return to higher levels of activity in the near term, we believe it very likely that individuals and/or private companies will be subject to some level of targeting by hacktivist groups on either side of the political spectrum. The risk is likely particularly heightened for those individuals and companies with known political affiliations or leanings, donations to certain parties or candidates, and/or business ties with controversial entities.”

Hacktivist Tactics and How to Defend

The Reuters report suggests that DDoS attacks may have been the weapon of choice against the Trump sites. And while DDoS attacks are a mainstay of hacktivists, they certainly are not the only tool at their disposal.

According to experts, other possible politically motivated hacktivist attacks we may see in the coming weeks or months could involve the doxing of stolen data or sensitive documents; malicious domain redirects; or website defacements enabled through SQL injection, brute-force attacks or third-party plug-ins.

“Website defacements are a favorite of hacktivists globally as it allows the actors an avenue to express their grievances and/or political beliefs and are relatively simple to conduct against vulnerable sites," said Recorded Future. "We would not be surprised to see an increase in such activity in the coming months, and especially if the U.S. domestic environment continues to be fractious."

An anti-government activist, displaying anonymous mask, sits near bone fire during clashes with riot police in Beirut. (Marwan Naamani/picture alliance via Getty Images)
An anti-government activist, displaying anonymous mask, sits near bone fire during clashes with riot police in Beirut. (Marwan Naamani/picture alliance via Getty Images)

“Defacements aren't only attempts to post a message contrary to campaign or organization,” added Kaiser. “They could be used to post false information such as incorrect locations of polling places or voting hours, or incorrect information on mail in or absentee voting.”

Social media account takeovers are another possibility, said Jordan, noting that “Hacks of Twitter and Facebook accounts are... popular, perhaps attracted by the prominence of tweets in Trump campaigns."

The attack method may depend on the hacktivists’ motivations, said Kaiser. “If they are seeking social justice, they may attempt to steal and expose information that verifies or sheds light on the problems they are trying to address, such as private information about a public figure or records that show previous improper or callous actions by a person or organization.” On the other hand, “If the goal is to disrupt and foment unrest, then website defacements or DDoS attacks that render websites unusable could be expected.”

Kaiser said other possible hacktivist schemes could be stealing lists of candidates’ supporters and then emailing them spam, phishing content or fake news. Perhaps someone may even try to create a Deepfake video purportedly showing a political candidate or public figure saying something he or she never actually said, he added.

Regardless of the tactic, attribution of some attacks may be difficult to prove, as incidents could potentially be the work of foreign or domestic online influence and misinformation campaigns disguised as hacktivists. Such was the case with so-called hacktivist Guccifer 2.0, whom the U.S. intelligence community later revealed to be a Russian government-sponsored threat actor.

But at least there are steps that political, government and business websites can take to reduce their risk of falling victim to hacktivist attacks.

“Political campaigns and companies have generally increased their security postures since the 2016 and the 2018 elections due an improved awareness of threat activity group malware and TTPs,” Insikt Group said. “The types that Recorded Future is increasingly seeing, however – information operations activities, domain redirects, etc. – are much harder to prevent and, therefore, the goal is to mitigate the risk as much as possible and have steps and approaches in place in the event that an incident occurs.”

In addition to anti-DDoS protections, Recorded Future advises companies to invest in threat intelligence, back up their data and network infrastructure, and develop an incident response and data recovery plan. To prevent website defacements, the company suggests organizations employ two-factor authentication on public-facing services, impose rate limits on login attempts, ensure that login pages and urls are obscured or restricted from public IP address ranges, validate data entered into input fields and carefully audit third-party plugins.

“Also, consider the use of ‘static’ websites, which do not require the use of a back-end database, if the website does not require active content,” the company added. And to fend off network intrusions resulting in data exfiltration and leaks, organizations should consider strong anti-phishing education and training services, and also monitor for malicious email attachments.

Jordan recommended organizations focus on updating their software, training employees not to click links in emails and simply be “more vigilant during this time. But he added, "the threat remains there even in quieter political times and the remedies at individual/company levels remain largely the same.”

“Cybersecurity is about risk management,” said Kaiser. “Campaigns, companies and advocacy groups need to analyze and understand their risk environment as it relates to hacktivism. Campaigns in tight, contested races, attempting to flip a seat, or with incumbents that are targets of the other side are likely to be at higher risk and attract hacktivists looking to create harm or disruption. Companies with vocal leaders or leaders that significantly fund political activities will also be creating risk for both the person and the company. Clearly media companies are and will be targets.”

With that understood, Kaiser said potential targets should be assessing and reviewing basic protections, "hardening credentials and logons [and] managing access privileges to social and other accounts including website editing, finance, and other sensitive documents and data. What platforms are used for sharing – email, encrypted communications – should be reviewed and policies about what and how things are shared should be clear to staff.”

Bradley Barth

As director of community content at CyberRisk Alliance, Bradley Barth develops content for SC Media online conferences and events, as well as video/multimedia projects. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.