Hacktivists Are on the Rise—but Less Effective Than Ever

Credit to Author: Lily Hay Newman| Date: Thu, 02 May 2019 15:39:48 +0000

In the United States, the public discourse has lately centered around nation-state disinformation campaigns much more than hacktivism. But internationally, dramatic or destructive digital acts that call attention to particular issues continue to simmer—and boiled over in the lead-up to the ouster of longtime Sudanese dictator Omar al-Bashir.

The #OpSudan effort did not directly lead to al-Bashir's arrest. But it's one of several recent campaigns that show how hacktivists can ride the waves of burgeoning geopolitical movements and garner legitimacy within their communities.

"There has been an increase in hacktivism in general in the first quarter of 2019," says Adam Meyers, vice president of intelligence at the security firm Crowdstrike. "We did see quite a bit of geopolitically motivated hacktivism—Venezuela, Libya, Pakistan and India, Brazilian groups. They’re really on both sides of each conflict."

"We saw these hacktivists then shift to go after smaller targets and low hanging fruit, like universities or small subsections of a government."

Harrison Van Riper, Digital Shadows

Hacktivist collectives often have loose ties and a global presence that belies country-specific efforts. They may deface websites to promote a certain message, attempt to overwhelm sites with junk traffic in so-called DDoS attacks, or find vulnerable databases from which they can leak information. The fact that they often live outside the country or region where the conflict is playing out, researchers say, can create a sense of detachment or disconnect between digital protest efforts and local grassroots movements. Yet hacktivists still often claim credit for progress or victories regardless of what is actually happening on the ground.

Though hacktivist collectives like Anonymous or LulzSec have largely faded from mainstream view, they and newer generations of groups remain active. Antigovernment or antiestablishment causes and ideals haven't yet gone out of style. But the persistence of these groups mostly results from anyone's ability to take up their mantle and claim responsibility for hacktivist activity in their names. And geopolitical unrest, like that in Sudan, continues to spur hacktivists to join the fray.

"The hacktivist groups kind of band together and agree to a target and then carry out targeting for a multimonth period," Meyer says. "Sudan is noteworthy in that al-Bashir has now been effectively deposed. That could rejuvenate some of the hacktivists out there if they interpret this as 'Hey, we helped bring about revolution.' But I don’t know that it really got broad attention. The widespread protests on the ground were making a much bigger impact."

At the end of 2018, Crowdstrike began tracking hacktivist activity that targeted the Sudanese Ministry of Defense with repeated DDoS attacks and a database leak. Three groups claimed credit for the assaults: the well-known collective Ghost Squad Hackers, a group known as Sudan Cyber Army, and the Brazil-based collective Pryzraky, which has also been active in other hacktivist campaigns around the world in recent months.

By February, Ghost Squad Hackers expanded its attempted DDoS attacks to also target the Sudanese Chamber of Commerce, the Ministry of Petroleum and Gas, the Ministry of the Interior, and the Office of the Presidency. Throughout March, a handful of other groups joined in the digital barrage as well. For example, Crowdstrike observed hacktivist mainstay group Anonymous launching a DDoS attack against the Office of the Presidency in Sudan on March 1, and conducting website defacements—and more DDoS attacks—against a wide array of targets throughout the month including the Ministry of Labor, the Central Bureau of Statistics, the Ministry of Agriculture, the Sudan National Police, two media outlets, and five local government sites. Among all of these efforts, some DDoS attacks actually knocked sites offline or created intermittent outages, but many were ultimately unsuccessful.

By April 6, days before al-Bashir's arrest on April 11, hackers claiming to be from multiple groups targeted 260 Sudanese domains with DDoS attacks in a single day.

Hacktivist attacks generally aren't very technically sophisticated, and often aren't even very effective. "Back in 2009, when a lot of this was starting to come to the forefront of people’s minds, there weren’t DDoS protections in place, but defenses have picked up," says Harrison Van Riper, a strategy and research analyst who tracks hacktivist activity at the security firm Digital Shadows. "We saw these hacktivists then shift to go after smaller targets and low hanging fruit like universities or small subsections of a government. Even if a site is down for 30 seconds, the hacktivists get a screenshot and then they can say they took it down."

"The delineation between pure web defacement and cybercriminal or cyberespionage activity is disappearing."

Trend Micro

Though hacktivism isn't usually the centerpiece of major geopolitical news, it still consistently crops up on the fringes of high-profile incidents. In the wake of WikiLeaks founder Julian Assange's recent arrest, for example, the Ecuadorian government reported fielding 40 million attacks against institutional websites that caused a slew of intermittent outages. Anonymous claimed credit for the sustained assaults.

For all of their limitations, hacktivists do have a large platform to push their ideas. The biggest Anonymous-linked Twitter account has almost half a million Twitter followers, and other prominent hacktivist groups have countless spinoffs and accounts across social medial platforms. But this intentionally fragmented infrastructure and the variety of targets hacktivists focus on also seems to water down the overall impact. Researchers note, though, that in today's online climate hacktivists could potentially use their platforms—or see them co-opted—to further criminal or nation state-backed hacking campaigns.

"They say that they were always very decentralized, but in reality there was an overarching message and hierarchy in their organization during campaigns like Occupy Wall Street," Digital Shadows' Van Riper says. "They would need to shift back to that to be as effective, and I don't necessarily see that happening. I think you could potentially see hacktivists who maybe latch onto a certain disinformation campaign. They could be directed or guided to disseminate something. It's certainly possible."

Researchers say they haven't observed such crossover yet, but have long seen the potential for it to evolve. A January 2018 report by the digital defense firm Trend Micro, for example, noted that defacers in China as well as Arabic-speaking countries in the Middle East and North Africa had their infrastructure tainted in 2017 to spread the Windows worm Ramnit—a malware family often used to steal bank credentials and other data.

“The delineation between pure web defacement and cybercriminal or cyberespionage activity is disappearing,” the Trend Micro researchers wrote. “If this continues and escalates, then the line between defacers, hacktivists, and cybercriminals will become even more blurred.”

https://www.wired.com/category/security/feed/