Activism has gone cyber: the rise of hacktivism

The ever-evolving geo-political and social landscape continues to cause ripple effects in a range of areas, one of the areas being cyber attacks. We have witnessed an enormous increase in the number and claimed impact of hacktivist attacks over the past year, with the goal of spreading a message or causing physical disruption leading to significant real-world consequences.

At the end of last year, we saw an Australian real estate business fall victim to a Russian hacktivist group, despite holding no prior connection. This shows that although hacktivism’s end goal is to cause disruption to wider political and social agendas, organisations, especially those operating in critical infrastructure, are often the direct victims of the bigger message.

The rise of hacktivism in 2022

Much like the motive of activism, hacktivist groups are formed by groups of cybercriminals sharing the same political and social beliefs coming together to promote an agenda; however, with cybercrime at play, outcomes are much more destructive. In 2022, hacktivists continually interfered with the Russia–Ukraine War, and governments are increasingly aware of the potential impact these groups can have. The last 12 months saw a number of hacktivist groups come into the public light:

• Team OneFist: Founded in March 2022, Team OneFist is a group of international hackers. The hacktivist group are Pro-Ukrainian and aligned with many other hacktivist groups to target Russia. Team OneFist targeted a range of Russian infrastructure, such as telecommunications, utilities and manufacturing organisations. Their goal was to deny Russia access to services and cause disruption. Other groups who protested against Russia include AnonGhost, who hacked Russian devices including street lighting systems and satellite systems disrupting navigation for Russia and also Network Battalion 65 (NB65), which hacked IP cameras and open SCADA systems.
• Gonjescke Darande: Also known as Indra or Predatory Sparrow, this hacktivist group attacked three Iranian steel plants associated with the Iranian Revolutionary Guard Corps (IRGC). The group released a video that captured a fire breaking out as a result of their attack. In 2021, the group was also linked to an attack on Iranian railways which caused massive delays and another attack on the Ministry of Roads and Urban Development which led to the national fuel payment system going offline.
• GhostSec: Active since 2015, this hacktivist group features members from several countries and doesn’t have a single political agenda. The group has attacked unmanaged devices in industries including retail, telecom, hotels and utilities across the world, with Israel, Russia, Iran and Nicaragua all falling victim. Closely affiliated hacktivist group SeigedSec attacked Rockell PLCs after the US overturned the federal right to have an abortion.
• Anonymous: One of the oldest and most well-known hacktivist groups, Anonymous too targeted Russia following the war, attacking Russian IoT equipment such as printers and IP cameras, which were used to live-stream Russian military personnel.

Becoming the unintended victim

In most cases, hacktivists aren’t focused on a particular organisation, but rather have a government, industry or country in mind. However, this does not mean organisations are immune to hacktivist attacks, as many organisations that operate within the targeted country or sector can be caught in the crossfire of these attacks. Once the initial target scope is defined, some groups will focus on large-scale attacks by finding similar device models in several organisations and attacking them simultaneously.

Critical infrastructures are often targeted by these threats as they largely operate with OT devices and equipment. Industries such as utilities and manufacturing become expected targets; however, due to the widespread use of IoT and OT equipment such as UPS, VoIP and building automation controllers, telecommunications and retail too repetitively face cyber attacks. It is important to also consider hacktivism aims to cause disruption for governments and countries, so sectors that have the greatest knock-on effect on the wider public become valuable targets.

Forescout found that nearly two-thirds (65%) of all hacktivist attacks have occurred on telecommunication (34%) utilities (23%) and manufacturing (8%) organisations. Of all successful attacks, the most common end goal for hacktivists was manipulation and control of the network (79%), with the second aim being to destruct data (9%).

Despite not being the enemy of hacktivist groups, organisations should still prepare for becoming a target of these attacks. Moving forward, organisations, especially critical infrastructure, should ensure their unmanaged devices such as IoT and OT equipment are appropriately protected.

Defending against hacktivism

As hacktivism continues to grow, cyber hygiene practices such as hardening network segmentation and monitoring must be extended to encompass every device in an organisation, not only traditional, IT and managed devices. Organisations need to:

• Strengthen connected devices: Organisations should identify every device connected to the network and its compliance state, such as known vulnerabilities, used credentials and open ports. Default or easily guessable credentials should be upgraded to strong, unique passwords for each device and unused services should be disabled. Vulnerabilities should be patched immediately.
• Introduce segmentation: Organisations need to ensure unmanaged devices are not exposed directly on the internet, with very few exceptions such as routers and firewalls. Companies can look to segment their network to isolate IT, IoT and OT devices. This will limit network connections to specifically allow management and engineering workstations or unmanaged devices that need to communicate.
• Continue to monitor: Organisations can implement IoT/OT-aware, DPI-capable monitoring solutions that alert on malicious indicators and behaviours. Solutions can watch internal systems and communications for known hostile actions such as vulnerability exploitation, password guessing and unauthorised use of OT protocols. Furthermore, monitoring large data transfers will help to prevent or mitigate data exfiltration. Finally, organisations should consider monitoring the activity of hacktivist groups on Telegram, Twitter and other sources where attacks are planned and coordinated.
   

Hacktivist attacks will only continue to grow as cyber evolution and political agendas remain a part of society. Critical infrastructure remains a primary target, and organisations with IoT and OT infrastructure should evaluate their cyber hygiene and furthermore, educate themselves on how to protect all devices across their landscape. By doing this, organisations can mitigate their odds of falling victim to hacktivist agendas.

Image credit: iStock.com/Peach_iStock