In 2019, hacktivism was almost stricken off the list of most pressing cyber threats – an IBM X-Force Threat Intelligence report shows that it had declined by 95% since 2015. Even in 2021, only 1% of all attacks recorded stemmed from hacktivist groups.
The Russia-Ukraine war, however, gave hacktivism a new lease of life. A recent Kaspersky research shows that between Q4 2021, and Q1 2022, the number of DDoS attacks increased by 46%. Researchers attribute the sharp spike to hacktivists from both factions.
While some hacktivist groups and threat actors such as Killnet, CyberGhost, the RedBandits, and the Conti ransomware group declared fealty to Russia, others such as Anonymous, BlackHawk, and GhostSec took Ukraine’s side.
The all-out cyberwar between Russia and Ukraine is no longer confined to the two countries. Italy’s Computer Security Incident Response Team recently confirmed that Killnet attacked multiple websites of several Italian institutions, including the senate, the National Institute of Health, and the Automobile Club d’Italia.
To make matters worse, threat actors are now using the latest technology to target their adversaries. Case in point: a Mandiant report shows how pro-Russian group used deepfake technology to impersonate Ukrainian President Zelenskyy.
The threat from hacktivist groups does not revolve around the Russia-Ukraine conflict. Closer home, Indian cybersecurity firm, CloudSEK’s threat intelligence research revealed on Tuesday that a new ‘Robin Hood’ ransomware group, GoodWill, forces its victims to donate to the poor and claims to provide financial assistance to deprived patients in exchange for the decryption key.
While the actions of hacktivist groups may be driven with the intent to oppose an unjustified invasion, some security experts tell ETCISO that “wildcard” hacktivist groups, especially independent, non-government ones, cannot always be relied upon.
Moreover, recent data leaks, including the source code of a highly successful threat actor such as Conti, could propel other threat groups to carry out attacks in other parts of the world.
Vigilantism/Altruism is No Excuse for Cybercrime
Hacktivism, as it is, cannot be “relied upon,” Casey Ellis, founder and CTO at San Franscisco-based crowdsourced cybersecurity firm Bugcrowd tells ETCISO.
Anti-hacking legislation, he says, errs on the side of assuming criminal conduct, and it’s already difficult and ambiguous enough for hackers who are actively working to stay within the boundaries of the law.
“So for those engaged in social vigilantism – regardless of the greater good being served – it continues to be a legally risky thing to be involved in,” he says.
Ellis uses the phrase “one man’s freedom fighter is another man’s terrorist” to illustrate his point.
“When you apply this (the ideology) at the speed of the internet with the backdrop of fluid international relations constructs, defining and creating consensus around what’s evil or corrupt outside of strict legal definitions becomes almost impossible to get correct 100% of the time,” he says.
The conundrum in this situation is that no single authority defines what “doing the right thing” constitutes. The absence of clearly-defined boundaries and rules of engagement put hacktivism in a grey area.
As John Bambenek, principal threat hunter at San Hose-headquartered security operations company Netenrich says: Anonymous and many other hacktivist groups are independent, loosely-affiliated groups that do what they think is important. And so the choice of target is entirely up to them.
Throwing light on the GoodWill ransomware group, Rahul Sasi, Founder, CEO of CloudSEK tells ETCISO that ransomware operators are not always motivated by money. Some, like the GoodWill group, do it for fame and gaining “rep” in dark web forums. “They might have the right intentions, but carrying out illegal activities is no way to do charity,” he says.
John Dickson, vice president at Coalfire, a Colorado-based cybersecurity advisory services provider, tells ETCISO that all types of actors are coming out of the woodwork, aligning with Russia or the West.
“We are venturing into unchartered territory and are well suited to monitor threat feeds more quickly and be able to turn on a time when new vulnerabilities come to the light of day,” he says.
Impact of Source Code Leaks
The experts ETCISO spoke with say that Anonymous leaking Conti ransomware group’s source code could act as a blueprint for other malware to be built with similar capabilities.
Ellis of Bugcrowd says that when source code gets leaked, there’s always the potential for it to be modified, re-used, taken from, or even just used as a guide for building similar capability.
After Babuk ransomware group’s source code was leaked, the Rook group used the same code to propagate attacks targeting Kazakhstan-based financial institutions. The leaked source code, like Conti’s, was highly capable and had the ability to terminate any process that might interfere with encryption.
Although Bambenek acknowledges that Conti’s source code leak is a risk, he says using the leaked code for a cyberattack is not that simple.
“It is possible people use the Conti source to build ransomware, but modern ransomware attacks require much more than malware. Being able to receive funds in real money in a non-attributable way is no small challenge, for instance,” he says.
He adds that getting initial access and escalating privileges to be able to deploy ransomware throughout an environment is not trivial. “There is increased risk but if you want to be in the ransomware business, there are already ways to bootstrap your efforts,” he adds.
Challenges in Attribution, False Flags
Attribution is a challenge in every cyberattack, but when several threat actors use the same code and attack vector, it becomes even harder to trace.
Dickson says: “Given the issues of attribution – who does what to whom – it will get very messy soon. I believe that if more invasive attacks begin to crop up – Wiper malware and DDoS attacks – directed towards the Russians, we will likely the Russian state and Russian-aligned actors respond in a similar manner,” he says.
In his view, it will be difficult, if not impossible, for Russians to determine the origin of an Anonymous attack based in North America or a cyber command-directed offensive cyberattack in real-time as they will look the same.
Attribution is one of Ellis’ main concerns as well. He says that while Ukrainian and Russian governments are conducting cyberwars against each other, the cyber conflict seems to be fairly well contained.
On the other hand, with non-government hacktivists and third parties from all over the world joining in and attacking things outside of the current warzone, Ellis says the “asymmetry of the actor” and impact creates a tremendous risk of accidental escalation, either by misattribution or through deliberate false-flag efforts.
“On top of this, the amount of background noise generated by all of this activity provides air cover for more directed and malicious intrusions,” he says.
In addition to this, Bambenek says that other threat actors could impersonate Anonymous to carry out targeted attacks. “If I were to be kicking over Russian organizations right now, I’d be calling myself Anonymous though I’ve never been affiliated in any way with them,” he says.
Vulnerabilities Laid Bare
Hacktivists on both sides have been actively targeting and taking down critical infrastructure. Anonymous even claims to have disabled the Russian space agency’s satellite program.
Bambenek says that any attack that uses a vulnerability that is previously unknown can lead to others learning about it. He says that security companies that research and report on zero-days often do so by reporting on attacks they’ve observed first and then researched.
“This is why, for instance, the United States has strong controls in place before the use of zero-days, and part of that review deals with handling the risks if the zero-day is discovered by the victim,” he says.
The series of cyberattacks can lead to a fallout effect with organizations in other countries getting caught in the crossfire. Suggesting remediation measures, Dickson says: “We need to move more quickly and change our security posture to be able to react more quickly when scary vulnerabilities get disclosed. What that boils down to for organizations on the defense side is vulnerability management.”
While vulnerability management might very well be the most “pedestrian” of cybersecurity processes, Dickson says that when major vulnerabilities stream out like he thinks they will, vulnerability management becomes central to protecting organizations from the latest (and worst) exploits.