Security Experts:

Hacktivism: Where it's Been and Where it's Going

As New Hacktivist Groups Join the Scene and Targets Change, We Could See Evolutions that May Prove to be More Fruitful Than Harmful.

It seems as if Hacktivism’s blip appeared on the threat radar almost completely out of the blue with Anonymous’ Operation Payback. Anonymous didn’t invent Hacktivism, but until then it was mostly limited to wannabe Jihadist groups who thought defacing the website of the Israeli Britney Spears fan club would speed up the destruction of the infidel state. The DDoS campaign against companies that “wronged” Wikileaks snowballed as media focused their attention on these activities, drawing many internet dwellers searching for that attention to the cause. Over time, as the numbers of Hacktivists grew, Hacktivism changed and evolved - in the ways the attacks were carried out, the types of individuals behind them and the cause they set to accomplish. The big question is, with the rapid growth and evolution of Hacktivism – where is it going?

HacktivismWhile some would have hoped that this activity would fade away as quickly as it has appeared, the first answer to “where is Hacktivism going” would be where it’s not – away. Even if you are to remove Anonymous today, there are many other groups that are not affiliated with it that would continue to seek to wreak cyber havoc. Some groups are accidentally tagged as Anonymous cells, often due to the fact that they are or at some point were using Anonymous’ IRC chat servers to communicate. However, these chat rooms have long since become a meeting place not only for Anonymous members, but Hacktivists in general. “The Unknowns”, for example, a hacking group that claimed responsibility to hacking into organizations such as NASA and the U.S. Air Force, has been falsely tagged as Anonymous by some. This caused one of its members, BZyklon, to write on Twitter: “People, stop to say The Unknowns are linked to Anonymous or another hacking group, because that's totally false”, after which he invited people to join him for a chat on Anonymous’ server.

Over time, Anonymous’ and other Hacktivists’ Modus Operandi evolved over time (Operation Payback itself was an evolution). Much like the underground economy, once the foundations of a certain capability has been established, whenever a new MO was introduced, it didn’t mean that the previous MOs have stopped being used. An example from the fraud world is Phishing attacks, which haven’t disappeared even when the more sophisticated Trojan horses became widely available. In the Hacktivist scene, there were several similar introductions of new MOs. The HBGary hack was one of the early examples involving Anonymous. In the beginning, the group only focused on DDoS attacks, with some members against being classified as “Hacktivists” by the media, as they claimed no actual hacking takes place in a DDoS campaign. However, HBGary’s case showed that Anonymous also possessed skills that stretched beyond knocking out websites with brute force. Topiary, Sabu and the rest of LulzSec group (who were also involved in the HBGary case) showed the world in their sarcastic way that it was not a one-time thing. Operation AntiSec, a joint effort between Anonymous and LulzSec, which launched during LulzSec’s short and eventful lifespan, set a new standard for Hacktivist operations – hack into an organization (preferably government) as a retaliation to one thing or another, steal information and then post it for everyone to see. Just as DDoS campaigns didn’t stop after AntiSec (although they garnered less media attention) so wouldn’t publishing internal data of organizations going to fade away once a new MO would be introduced. This is a real threat CISOs of all organizations should be worry about moving forward. It may fade in favor of other types of attacks, especially from media attention, but not disappear – especially when groups such as “The Unknowns” have adopted these types of attacks.

Another method of operation is “d0xing” – from the word docs, or documents – meaning exposing personal information of a target in public. Information in a “d0xing” post can include a current address, Social Security Number, Date of Birth and other information. When the target is of an “actor” in cyberspace, it may reveal his true identity. Some of the exposed data seems to have been obtained through data aggregators and social networks, while some may even come from an infected machine or a hacked webmail account. This tutorial may shed additional light on how it’s done. Search Pastebin and the likes for “d0xing” posts and you will find a wide range of individuals being d0xed, from supposed pedophiles, company executives even to the President of the United States and his wife. Some groups are entirely dedicated to “d0xing”.

Interestingly enough, many “d0xing” posts are dedicated to rival actors, with some posts even dedicated to exposing members of those groups that are themselves dedicated to “d0xing”. This adds another intricate complexity to the Hacktivism scene – Anti-Hacktivist groups, that use the same methods that Anonymous and their peers use against them. Recently arrested group UGNazi is an example of a group targeted for being Hacktivists. The group, which had ties to Anonymous, focused on “d0xing” and DDoS attacks against government websites. The group itself was “d0xed” by another group of the scene. “The Happy Ninjas” are an additional example – a German group dedicated to taking down fraudster forums. Germany has a bustling underground economy which, unlike other geographies, mainly focuses locally on German victims. Their motives might not be completely to protect the innocents, but they were able to cause quite a stir in the underground economy.

To summarize, the Hacktivism scene is not going away, as well as its MOs. DDoS attacks are not going to stop, as well as exposing internal data and “d0xing” activity. New MOs may be introduced over time, which may take the media attention from the previous MOs, but those will continue to threaten organizations. As new groups join the scene over time and as the targets change, we may see some interesting evolutions that may prove to be more fruitful than harmful. For example, “d0xing” groups targeting fraudsters and identity thieves. While these statements may sound generic, bear in mind that the chaotic nature of the scene makes it difficult to look forward. Anonymous’ nature hasn’t changed that much, with smaller cells acting almost completely independently and various forces trying to pull to various directions. To which directions they should turn in the future – is anyone’s guess.

Related ReadingThe Evolution of the Hacktivist Threat

Subscribe to the SecurityWeek Email Briefing
view counter
Idan Aharoni is the Head of Cyber Intelligence for the FraudAction Intelligence team at RSA where he is responsible for gathering, analyzing and reporting intelligence findings on cybercrime and fraud activity. Mr. Aharoni joined Cyota (later acquired by RSA) in February 2005 as an analyst at the Anti-Fraud Command Center. During his service, he founded the FraudAction Intelligence team, which he leads today. Between his work at the Anti-Fraud Command Center, as well as the unique insight he has gained by the intelligence and discoveries gathered by his team, Mr. Aharoni offers vast expertise into the underground fraud economy and how cybercriminals operate.
view counter