Welcome to the third installment of our Threat Actor Profile series where we analyze the main categories of actors that represent a threat to your organization. This series is designed for executives. Because we understand the unique roles and responsibilities of executives, and corporate leadership, we’re focused on cyber risk as an enterprise risk—and help explain it without getting lost in the weeds. Our third threat actor group is Hacktivists.
Click here to read our previous posts, on Nation State Actors and Cyber Criminals.
Threat Actor Profiles: Hacktivists
In 1996, partially as a joke, a pseudonymous programmer first used the word “hacktivism” to describe hacking for political purposes. The Cult of the Dead Cow (CDC) was an early computer hacking club, originally founded in 1984. One member, amused by the group’s increasingly over-the-top political actions, coined the term in a club-wide email. Years later, during a lecture on Cybercrime and Digital Law Enforcement at Yale, the founder of the CDC commented on that historic email:
Almost immediately, ‘hacktivism’ spread like wildfire. The word sounded so cool to that everyone wanted to use it – the trendier-than-thou digerati, online news editors, and especially washed-up activists who had just discovered email. Suddenly, everyone became a ‘hacktivist.’ No one had a clue what it meant, but it sounded cool.
Today, that sentiment still rings true. What does it mean to “use computers to accomplish political objectives?” What do hacktivist attacks look like – are they always destructive, or can hacktivism be a legitimate way to participate in politics? And, what are the implications for your organization?
Anonymous and #OpPayBack
Hacktivists’ motivations aren’t always as obvious as those perpetrated by nation state actors or cyber criminals because the pattern between activities can seem unpredictable. However, hacktivists do not target organizations randomly. Rather, they attack to draw public attention to a perceived injustice. In some cases, actions by hacktivists are motivated by a political, religious, or social scandal involving your organization. In other instances, their attacks are symbolic: your organization is targeted because it represents something unfavorable in the eyes of the hacktivists.
Both of these facts were true during a series of high-profile distributed denial of service (DDoS) attacks perpetrated by Anonymous in December 2010. Dubbed “Operation Payback” by the hacktivist collective, the attacks targeted several financial web services, as well as U.S. government websites. Like all too many subsequent geopolitical conflicts, the situation began with WikiLeaks. In a leak known as CableGate, 200,000 classified State Department cables were leaked. This leak prompted a swift response by the U.S. Government. The Government called on Visa, MasterCard, and PayPal to stop processing donations to WikiLeaks. Those financial services complied, claiming that WikiLeaks was violating their respective Terms of Service agreements. This became the catalyst for Anonymous’ actions days later.
From the start, the attackers were clear about their motivation: they viewed this “interference” by the U.S. Government as an attack on WikiLeaks and their donors’ free speech. Participants mobilized on Twitter and public chat rooms; penned collaboratively-written press releases and manifestos using an anonymous document-writer called PiratePad; and solicited interviews with a variety of press outlets, from the New York Times to Wired.
In addition to these operational and press activities, the hacktivists organized a collective DDoS attack. This type of attack involves overloading a server with traffic until it crashes. That is exactly what happened to Visa, MasterCard, and PayPal’s websites. To improve the effectiveness of their attack, Anonymous participants reappropriated an open source stress-testing tool. Called a “Low Orbit Ion Cannon” (LOIC) – named in honor of a fictional weapon in a SciFi video game – participants voluntarily connected to a single server, then one operator “fired” the traffic at the target websites all at once. According to hacktivists, using a DDoS attack to bring down websites is just like collective action in the real world: it’s a virtual sit in, with consequences that are no more disruptive than temporarily shutting down a roadway.
According to estimates, between 7,000 and 10,000 unique users connected to the LOIC to become part of the attack, which caused a “complete loss of service” at MasterCard crippling the company’s ability to process transactions. Over three days of intermittent system downtime, MasterCard incurred millions of dollars in financial losses.
Telecomix and #OpEgypt
Around the same time as Operation Payback, another group of hacktivists were engaged in a different kind of collective action, launched in defense of free speech and Internet freedom. In early 2011, as part of the Arab Spring, millions of pro-democracy Egyptian activists organized massive street demonstrations demanding the overthrow of Egyptian President Hosni Mubarak. On January 25th, as the clashes between protesters and the military intensified in Cairo and major Egyptian cities, state-sponsored Internet Service Providers (ISPs) throttled the entire country’s telecommunications system.
Telecomix, a European hacktivist collective, quickly worked to restore lines of communication between Egypt and the rest of the world. Tactically, Telecomix was similar to Anonymous: they organized entirely online, were decentralized, and used the media to attract attention to its political cause. Like Anonymous, Telecomix also adapted an existing technology to accomplish its goals. However their plan was decidedly low-tech. First, the hackers established a massive bank of old modems, lobbying Swedish and French ISPs to donate their defunct hardware to the cause. They then sent faxes to Egyptian hospitals, schools, and community centers with detailed instructions on how activists could connect to the ad-hoc network.
The operation was incredibly effective. During the five day Internet blackout, foreign journalists used the modem banks to push out information. Protesters “tweeted” using the fax machines and sent their messages to Telecomix, who transcribed their updates and broadcasted reports from their Twitter handle under the hashtag #OpEgypt. Several activists even hosted a livestream from the streets of Cairo, bypassing the information embargo and sharing their experiences live with a global audience.
Hacktivists: Decentralized and Unpredictable
It can be difficult to anticipate when and how hacktivists will direct their focus. When an operation manages to grab enough attention, the decentralized nature of hacktivist operations can cause significant damage in a short amount of time.
Similarly, the capabilities of hacktivists are tough to generalize. While Anonymous usually conducts DDoS attacks and PR smear campaigns, in the past they have successfully launched sophisticated cyberattacks. These tactics include defacing websites and leaking internal emails, as was the case in an Anonymous cyberattack on defense contractor HBGary Federal.
When constructing a risk management strategy, companies must first understand their threats. They must also be aware of how their actions, operations, and business partners could be perceived in the political landscape both in domestic and international spheres. Finally, creating a crisis communications strategy before an incident occurs can help reduce the chaos and reassure customers in the wake of an incident.
To learn more about how to build and execute a risk management strategy that considers the diverse threats organizations face, join us at our Cyber Resolve seminar in NYC on May 1. Prefer private training for you and your fellow members of the C-Suite? Contact us. We’ll bring the education to you.