Until this year, hacktivism was largely associated with groups such as Anonymous, decentralized and unstructured collectives made up of individuals with varying interests. Anonymous has launched multiple campaigns against numerous targets. There was no real affiliation or ideological connection between the band members, and apparently no long term agenda. Everyone, regardless of political affiliation, was able to join the group.
But recently things have changed. As a result of the many fallouts from the conflicts in Eastern Europe and the Middle East, some hacktivism groups have intensified their activity in form and substance to take a new step. Hacktivism is no longer just about social groups with changing intentions. Modern hacktivism is more organized, structured and more sophisticated. Although the change began in specific geographic regions linked to conflict, it has now spread west and beyond. Large corporations and governments in Europe and the United States are heavily targeted by this type of emerging hacktivism.
In recent months, the United States, Germany, Lithuania, Italy, Estonia, Norway, Finland, Poland and Japan have suffered serious attacks from organized groups. These incursions have in some cases had a significant impact. Recent attacks have not only targeted the governments of these countries, but also large corporations like Lockheed Martin, a global defense contractor. Furthermore, the latest large-scale attacks against the Albanian government have been carried out by a group of state-organized hacktivists.
The major hacktivist groups that emerged in the last year share many of the characteristics of such structured organizations: a clear and consistent political ideology, a well-designed hierarchy of membership and leadership, a formal recruitment process and even tools that groups provide to their members. In addition, groups and their members adhere to goals. The groups cooperate in an organized manner and also have strong public relations operations to publicize and promote their successes, including on major media channels and websites.
All this allows new hacktivism groups to mobilize to convey government information and achieve strategic and general objectives with never-before-seen levels of success (and much wider public impact). Hacktivist groups are no longer made up of a few random individuals who carry out small DDoS attacks or defacing second-tier websites. These coordinated organizations launch large-scale DDOS and parasite attacks against their targets, backed by far-reaching public relations. Government agencies and organizations should therefore consider themselves duly warned.
Model of hacktivism in 2022 – Mobilization around government programs
Hacktivism started about two years ago, with several groups of hacktivists like Hackers of Savior, Black Shadow and Moses Staff, which exclusively focused on attacking Israel. For the most part, they have made no secret of their adherence to the Iranian regime’s anti-Israeli discourse. Meanwhile, several other groups in the Middle East, the largest being Predatory Sparrow, focused solely on attacking pro-Iranian targets. Their only common interest is opposition to the Iranian regime.
The geopolitical design that mobilized hacktivism is not limited to the Middle East but is also an essential part of the Russian-Ukrainian war. From the beginning of 2022, the Belarusian cyberpartisan group formed in 2020 to counter the Belarusian government began launching destructive cyberattacks to thwart Russian troops.
The Ukrainian government has publicly called on the IT Army of Ukraine to attack Russia. This new hacktivism also saw the birth of groups that supported the Russian geopolitical scenario, with groups like Killnet, Xaknet, From Russia with Love (FRwL), NoName057(16), etc.
Although the new hacktivism started in specific and limited geographical areas, the groups mobilized by the Russians soon ceased to focus solely on Ukraine. They have indeed attacked anyone who opposes the Russian strategy, namely Europe, the United States and even Asia. These included major attacks against governments and large corporations in the United States, Lithuania, Italy, Estonia, Norway, Finland, Poland, Japan, and more.
These groups also have clearly stated intentions to support the information war and Russian interests, as we can see in the manifesto of Noname057(16).
This group has a real pro-Russian agenda and regularly targets Ukraine, while widening its scope. Over the past few months, Noname057(16) has targeted the many European Union countries that have publicly supported Ukraine, such as Poland, Lithuania, Latvia, Slovakia and Finland. NoName057(16) also attacked the website of the Finnish Parliament in August, after Finland expressed interest in joining NATO.
From Russia with Love (FRwL) is another group that adheres to the same modus operandi of the state, but which attracts less public attention. Members of the group focus on spreading private information on their Telegram channel and claim several attacks against “the enemies of Russia”. They claim to have sensitive information about Estonia and Lithuania by accessing Telegram channels associated with the Ukrainian Security Service. The FRwL has joined the wave of attacks against Lockheed Martin and its contractors who produce HIMARS, supplied by the United States to Ukraine. FRwL also claimed to compromise Gorilla Circuits, an American circuit board manufacturer, one of Lockheed Martin’s suppliers.
In the opposite camp, there are also multiple groups of hacktivists mobilized alongside Ukraine. Some, like IT Army of Ukraine, are officially run by the Ukrainian government. IT Army of Ukraine was established days after the start of the Russian invasion and brought together trained volunteers from around the world to operate under the Ukrainian mandate. According to CSS Zurich, IT Army of Ukraine has a large number of volunteers around the world who work to coordinate DDoS attacks against Russian targets, and a team that works at higher levels, probably made up of Ukrainian defense experts. and intelligence that can conduct more complicated cyber operations against specific Russian targets.
One of the most influential groups to join IT Army of Ukraine is TeamOneFist, the pro-Ukraine collective that in August targeted the city of Khanty-Mansiysk in Russia. It wiped out the natural gas power plant and also caused the airport to black out.
Although the mobilized pro-Ukrainian groups currently focus only on Russia, they have still set precedents for hacktivism.
In recent months, we have also seen a marked proliferation of hacktivism organized by the Iranian government and aimed at Europe and NATO. On July 15, 2022, Albania suffered a severe cyberattack that temporarily disabled many of its government’s digital services and websites. The responsibility for this attack lies with a group of hacktivists called Homeland Justice, affiliated with the Iranian Ministry of Intelligence and Security. In this case, Homeland Justice is clearly serving the Iranian government’s agenda against Mujahedin-e-Khalq (MEK), an Iranian dissident group protected by the Albanian government.
Conclusion
The conflicts that have erupted in Eastern Europe and the Middle East in recent years have affected the lives of many people and caused an escalation in many areas around the world. Cyberspace ecosystems are one of the areas of greatest escalation. In the previous decade, hacktivism was mostly a buzzword that did not pose significant risks to global organizations. Now more organized, structured and sophisticated, hacktivism has ushered in a veritable renaissance. What is more worrying today is that many hacktivist groups have a very clear agenda, in the service of a government, and serve the particular interests of certain governments.
Even though it all started in specific conflict zones, we are already seeing its proliferation in the West and beyond. We further expect hacktivists to build up their arsenal and unleash state-level destruction attacks. Another growing concern is the fact that more and more governments are taking inspiration from the success of these new groups of hacktivists in their pay, a sign that this phenomenon is on the way to becoming a long-term business.