Security Experts:

The Evolution of the Hacktivist Threat

Hacktivist "Groups" Have Different Motives Behind Their Attacks, But Most Use The Same Tools That Penetration Testers and Other Security Professionals Use or Sell to Others.

A recent cyber security survey by Bit9 revealed that 61% of the surveyed IT Security Experts believed their organization would be targeted by Anonymous or other hacktivists within the next 12 months. Other headlines summed it up as “Survey: What is the I.T professional’s biggest fear? An anonymous attack”.

The aforementioned survey provides another startling, but interesting and incredibly profound self-assessment: “the vast majority (74 percent) believes that their endpoint security solutions on their laptops and desktops are not doing enough to protect their companies and intellectual property (IP) from cyber attacks.”

HacktivismSuch an honest and open admission is rare, but indicates that many organizations are aware that they would not be able to prevail against a targeted and sustained attack.

Another item from the survey states, “but they recognize that the more serious threats come from criminal organizations and nation states.” This belief is a fallacy. Many deride anonymous as “script kiddies,” but that accusation is unfounded. It is simply that more sophisticated means are rarely required to breach most security defenses. An attacker can launch automated attack suites such as nikto, sqlmap or even burpsuite by tunneling it through Tor, a VPN or the old-school pwned host and just sit back and wait. He will rarely hit an IDS/IPS, and chances are even slimmer that there is an active 24x7 Security Event and Incident management service to even notice his attempts. The risk is zero, the potential gain huge, and the effectiveness against most targets sufficient. Why bring out the big guns when you are shooting at sparrows? How bad is your security, that script kiddie methods are enough to get at your pay data?

A short detour into Hacker Lore

Too little attention has been paid to the links to the AntiSec movement that lulzsec, and sometimes anonymous have hinted at in the past. LulzSec directly and implicitly affirmed their belief in the movement in the Disbandonment Statement, stating “Again, behind the mask, behind the insanity and mayhem, we truly believe in the AntiSec movement. We believe in it so strongly that we brought it back, much to the dismay of those looking for more anarchic lulz.”

In addition, LulzSec made direct references to prominent past anti-sec groups and movements, such as ~el8 and pr0jekt m4yh3m”.  Anonymous makes frequent references to the Project Mayhem meme, lifted from the novel and movie “Fight Club”, and also displays many other similarities with the original pr0jekt m4yh3m.

These direct references make a direct link likely. The height of pr0jekt m4yh3m was in 2002--  almost a decade before LulzSec. Considering the age of the arrested alleged LulzSec and anonymous members so far, either someone has spent a lot of time trawling through old e-zines and mailing-list archives, or they were already active at the time.

The implication is that LulzSec, Anonymous and other hacktivist groups include veteran hackers in their ranks. They could potentially include them in their leadership—those who have been active for at least a decade and who have yet to be identified. Few of the individuals involved in the anti-sec operations back then were ever caught – with a few notable exceptions.

Instrumental in pr0jekt m4yh3m was a self-confessed blackhat hacker going by the handle “the_UT” or “The Unix Terrorist.”  “the UT”’s real name is Stephen Watt, who was sentenced to 2 years for his role in supporting Alberto Gonzalez in the infamous TJX hack, for which he received a 20 year prison sentence. Gonzalez, acting under the pseudonym “soupnazi”, was also a high-level member of pr0jekt m4yh3m. These were highly technically-skilled, strategic and motivated hackers. Further proof of the technical skill that is present in this movement is provided by the relationship many of the members are alleged to have with the Information Security Industry.

This was also the critical point at which the blackhat and hacktivist communities began converging, greatly enhancing the capabilities and sophistication of attacks, providing hacktivists with experience and talent from the blackhat scene.

AntiSec Defaces Security Sites In CanadaThe AntiSec movement is intimately and intricately tied in with the blackhat community, and has in the past displayed the ability for very sophisticated advanced persistent attacks.

Western Hacktivist "groups" such as Anonymous share virtual space with these groupings, and their interests overlap. Therefore is natural that they would merge and enhance each other’s resources and operations, with ideas and techniques easily cross-pollinating.

Already the general Modus Operandi and subculture of anonymous and associated or similar groups is a direct heir of the blueprint laid out by ~el8 and other AntiSec proponents. This blueprint will be enhanced and further developed in the future.

Western Culture, Occupy and Hacktivism

Anonymous is international in its nature, but close scrutiny instead reveals a Western focus and the majority of actions are aimed at Western targets or in the name of Western causes. The close ties with and support of the Occupy Movement, and the shared “Guy Fawkes” and “V for Vendetta” symbolism are further indicators for this, and allow us to also identify this hacktivism of being a child and product of Western capitalist society and the tumultuous times of the prolonged financial crisis.

Hacktivists from other nations typically have traditional, nationalist or humanitarian causes, such as Indian vs. Pakistan Hacktivists, or Palestinian vs. Israel. Anonymous and other Western hacktivists on the other hand seem motivated by less existential concerns such as Freedom of Information, file-sharing and SOPA.

This finding has far reaching implications in regards to who may find themselves the potential target and for what reasons. It also provides information that can be used to extrapolate potential factors that may further increase the threat from these groupings.

The impact and effect of the financial crisis

The widespread unemployment crisis hit countries such as Greece and Spain, and similarly affected nations containing the seeds for increased hacktivism. These countries are currently seeing an increase in activism and protest activity related to austerity measures, and a great many of the unemployed include I.T Staff, many who will not be fond of their ex-employers. Unemployed youths have been especially hard hit and provide a vast pool of potential hacktivists as many are I.T specialists. The motive is clearly there, and these dissident hackers have ample time on their hands to plan and execute attacks. They exist in a fertile breeding ground of anti-establishment, anti-corporate and anti-government sentiment.

Financial Institutes have to take additional risk into account, due to the number of laid-off staff with more on the horizon across the entire industry. These also include I.T staff, who take with them knowledge about internal systems, processes and possible security flaws. Even if only a small percentage join the hacktivist collective, it could have a very damaging effect. How many infiltrators do you need to create havoc on your network? One will do it.

The future

A fast end to the financial malaise is not in sight-- years of austerity with periods of market turbulence are the predictable outcome. To that backdrop, the tensions between the victims of this crisis and those they think are to blame for their pain can only increase, and with it all forms of protest and activism. Even if anonymous should disappear tomorrow, the genie is out of the bottle and others will soon follow, building upon and improving their strategies. The Blueprint that was set over a decade ago by blackhat activists motivated by their anti-sec ideology has transformed the way that hacktivists operate, making them far more effective and increasing their damage potential.

The information security industry has also contributed towards the escalation in conflict with hacktivists, providing instruction and knowledge to industry outsiders. Studies of the methods utilized in the wild reflect that most hacktivists have a preference for the same tools that penetration testers and other security professionals use or sell to others. This weaponization of hacking techniques has also played its role in the success of hacktivist attacks, and is an accelerating trend.

The irony cannot be lost-- the same tools used by the victims against their own infrastructure could have prevented many breaches.

Subscribe to the SecurityWeek Email Briefing
view counter
Oliver-Christopher Rochford works for Tenable Network Security and lives in Germany. He has over a decade of Information Security experience garnered from such diverse companies as Integralis, Qualys, Secunia and HP ESS, and has frequently written and and given interviews on the topics of Information and Offensive Security, as well as Cyber-Terrorism and Hacker Culture.