In the most recent edition of its annual Security Report, Check Point Software Technologies looked back on a tumultuous year in cybersecurity, with the boundaries between state cyber-operations and hacktivism becoming blurred as nation states act with a degree of anonymity without retaliation.
In this article, Sergey Shykevich, Threat Intelligence Group Manager at Check Point Software, looks at the rise of a new type of hacktivism and the impact of geopolitical relations on the current threat landscape.
Hacktivism has traditionally been associated with loosely managed entities such as Anonymous. These decentralized and unstructured groups are typically made up of individuals cooperating in support of a variety of agendas and many groups have an open-door policy for recruitment. However, over the last year, and following developments in the Russian-Ukrainian conflict, the hacktivist ecosystem has matured, in both origins of source and motivations.
Hacktivist groups have tightened up their level of organization and control, and today you will see them conduct military-like operations including recruitment and training, sharing tools, intelligence and allocation of targets. For example, following Russian attacks on Ukrainian IT infrastructure at the beginning of the war, Ukraine set up an unprecedented movement called “IT Army of Ukraine.” Through a dedicated Telegram channel, its operators manage more than 350,000 international volunteers in their campaign against Russian targets. On the other side of the battlefield, Killnet, a Russian-affiliated group, was established with a military-like organizational structure and a clear top-down hierarchy. Killnet consists of multiple specialized squads that perform attacks and answer to the main commanders.
Most new hacktivist groups have a clear and consistent political ideology that is affiliated with governmental narratives. Others are less politically driven, but have nonetheless made their operations more professional and organized through specifically targeted campaigns motivated by social rather than economic objectives.
Who’s responsible and do we know for sure?
This type of cyber warfare is not only about inflicting damage. All active groups are aware of the importance of media coverage, and they use their communication channels to announce successful attacks and re-publish them to maximize the effect and elevate the fear of such hacktivist attacks. For example, Killnet has more than 91,000 subscribers on their Telegram channel, where they publish attacks, recruit team members and share attack tools. There is also extensive coverage of the group’s activity on major Russian media outlets to promote their achievements in cyber space and validate the impact of their successful attacks on their ‘enemies’ or anti-Russia entities.
Increasingly, there is a rising trend in groups claiming responsibility for cyberattacks when in reality, they had little or no involvement in them. Germany’s flagship airline, Lufthansa, experienced a severe IT issue in early 2023 which left thousands of passengers stranded at several airports across the country. It was thought to be the result of construction work causing damage to external cabling.
Pro-Russian hacktivist group, Killnet, claimed responsibility for the attack and said it was retaliation for Germany’s support of Ukraine. The group published a statement via its social media channels saying: ‘We killed the Lufthansa employee corps network with three million requests per second of fat data packets. These were experiments on rats that were successful. Now we know how to stop any navigation and technical equipment of any airport in the world. Who else wants to supply weapons to Ukraine?’
Despite this assertive message, there is little evidence to suggest that Killnet had any involvement in the attack and were in actual fact attempting to enhance their notoriety and increase levels of fear. It is not always easy to establish who or what organisation is responsible for an attack and it is even more difficult when the incident is potentially state-sponsored.
Who is the person (or government) behind the mask
There is a big difference between claiming responsibility and being responsible. Operating under the cloak of anonymity may be seen as a way of legitimising state-sponsored attacks, but when does it become terror, not disruption?
Research conducted by the University of Notre Dame argues state-sponsored hacktivism is ‘weapons and attacks in the cyber domain intended to produce political effects similar to those usually sought as the goal or objective of a conventional use of force by states against one another’.
Such an approach means nation states can act anonymously within the cyber world, and perhaps most importantly, without fear of retaliation and without taking responsibility for the attacks. By targeting components of critical infrastructure such as financial or healthcare institutions, government buildings, energy suppliers or emergency services, attacks aim to cause maximum disruption. Though with such significant backing, the aftereffects of an attack such as this could be on a par with those where force had been used.
Prior to Russia’s invasion of the Ukraine, hacktivism was a scarcely used term in a serious context and was arguably on the decline. However, the war prompted a surge in activity from known and unknown groups. Those unknown parties are the ones that create the most intrigue, as they are potentially being aided by government organisations to carry out attacks on targets for political gain.
For example, within 48-hours of Russia’s invasion of Ukraine there was an 800% increase in suspected Russian sourced cyberattacks. Activity hasn’t slowed either. According to Check Point Research in the second half of 2022, Killnet, the biggest Russia affiliated hacktivist groups targeted more than 650 organisations or individuals, interestingly only 5% of which were Ukrainian. It is not just Russia who are believed to be using government resources to aid cyberattacks, but groups allegedly in Iran, Israel and China also may have links to state-sponsored activity.
What will hacktivism look like in 2023?
The frequency and sophistication of attacks in this new era of hacktivism will raise questions about their origins. Who or what organisation is behind the mask and are their actions motivated by political gain or terror? In the year ahead, it will become increasingly more difficult to identify what is a government, hacktivist or cyberattack.
It may be too soon to refer to hacktivism as state-sponsored terrorism, but there is no doubt that it is becoming harder to disconnect one from the other. As geopolitical tensions continue to dominate the world agenda this new age of cyberwarfare will only get worse, before it gets better.