Global Revival of Hacktivism Requires Increased Vigilance from Defenders

Written by: Daniel Kapellmann Zafra, Alden Wahlstrom, James Sadowski, Josh Palatucci, Davyn Baumann, Jose Nazario


 

Since early 2022, Mandiant has observed the revival and intensification of threat activity from actors leveraging hacktivist tactics and techniques. This comes decades after hacktivism first emerged as a form of online activism and several years since many defenders last considered hacktivism to be a serious threat. However, this new generation of hacktivism has grown to encompass a more complex and often impactful fusion of tactics different actors leverage for their specific objectives.

Today’s hacktivists exhibit increased capabilities in both intrusion and information operations demonstrated by a range of activities such as executing massive disruptive attacks, compromising networks to leak information, conducting information operations, and even tampering with physical world processes. They have leveraged their skills to gain notoriety and reputation, promote political ideologies, and actively support the strategic interests of nation-states. The anonymity provided by hacktivist personas coupled with the range of objectives supported by hacktivist tactics have made them a top choice for both state and non-state actors seeking to exert influence through the cyber domain.

This blog post presents Mandiant’s analysis of the hacktivism threat landscape, and provides analytical tools to understand and assess the level of risk posed by these groups. Based on years of experience tracking hacktivist actors, their claims, and attacks, our insight is meant to help organizations understand and prioritize meaningful threat activity against their own networks and equities.

Sample of imagery used by hacktivists to promote their threat activity

Figure 1: Sample of imagery used by hacktivists to promote their threat activity

Proactive Monitoring of Hacktivist Threats Necessary for Defenders to Anticipate Cyberattacks

Mandiant considers activity to be hacktivism when actors claim to or conduct attacks with the publicly stated intent of engaging in political or social activism. The large scale of hacktivism’s resurgence presents a critical challenge to defenders who need to proactively sift through the noise and assess the risk posed by a multitude of actors with ranging degrees of sophistication. While in many cases hacktivist activity represents a marginal threat, in the most significant hacktivist operations Mandiant has tracked, threat actors have deliberately layered multiple tactics in hybrid operations in such a way that the effect of each component magnified the others. In some cases, hacktivist tactics have been deliberately employed by nation-state actors to support hybrid operations that can seriously harm victims. As the volume and complexity of activity grows and new actors leverage hacktivist tactics, defenders must determine how to filter, assess, and neutralize a range of novel and evolving threats. The proactive monitoring of hacktivist threats will bring manifold benefits to defenders:

  • Monitoring hacktivism messaging and activity can provide defenders with early warning of threat activity from sophisticated actors. This is not only because of the overt nature of hacktivism, but also because of its use to mask activity from nation-states and criminals.
  • The increase in frequency and breadth of hacktivism activity over the last two years represents a threat to a wide range of organizations. Even if most attacks do not result in significant impacts, defenders need to proactively filter through the volume of insignificant activity to identify indications of substantive targeting of their organizations and prepare mitigation strategies.
  • Hacktivist attacks are often inspired by global events, but they frequently target organizations that do not necessarily play a role in the event itself. Targeting seemingly unrelated organizations allows the actors to claim attacks at a larger scale and to select high-profile targets—such as critical infrastructure or major businesses—in an attempt to increase group prestige and publicity for their attacks. Proactive monitoring enables defenders to identify when an organization or region is generally at higher risk, what events may be a precursor to hacktivist attacks, and when hacktivists have launched campaigns targeting similar industries or organizations.
  • The threat is even higher for networks located in regions and industries with lower cybersecurity maturity, where victims are also more likely to face a significant or lasting impact from this activity. In such cases, proactive monitoring plays the same role as other detection mechanisms by allowing organizations to identify and mitigate immediate threats to their networks.

New Generation of Hacktivism: Increased Scale and Sophistication 

The term “hacktivism” was coined in the mid-1990s by a member of the hacker collective Cult of the Dead Cow. Originally, it referred to “online activism,” where actors attempted to inflict damage on a victim by conducting attacks to influence audiences and communicate political or ideological beliefs. In the beginning, most hacktivist groups claimed to be motivated by anti-establishment objectives, which threatened governments and political institutions. In the early 2010s, hacktivist actors like those affiliated with the Anonymous collective impacted networks less resilient to threats such as distributed denial-of-service (DDoS) attacks—often resulting in widespread media attention. As cybersecurity matured and networks became more resilient—for example, with the creation of content delivery networks (CDNs)— and as law enforcement in some regions took legal action against these actors, anti-establishment hacktivism as a movement and its methods lost relevance over time.

After years of mostly low intensity and low impact operations, we observed a significant resurgence of new hacktivist groups and tactics around the onset of the Russian invasion of Ukraine and the Israel-Hamas conflict. A variety of hacktivist personas and groups have declared their allegiance to parties in these conflicts and targeted a long list of organizations and governments under such allegiance. The impact of their attacks has not been limited to stakeholders involved in conflict, but has also crossed borders to target third parties with loose association such as nationality, commercial relations, or opposing allegiance.

This new wave of hacktivist activity diverges from historic activity, particularly in the scale and breadth of groups and activity. Some hacktivist actors have shown an increased dexterity, more effectively conducting attacks in parallel with messaging to advertise their threat activity and influence audiences. Today, hacktivism is no longer only composed of low capability actors motivated by ideologies that reflect “traditional” anti-establishment hacktivism. We have observed a more frequent shift toward geopolitically and financially motivated groups attempting to obfuscate threat activity through hacktivist facades. While the concept of using a hacktivist facade as a front for state-sponsored activity is at least a decade old, we have not previously observed the frequency, volume, and intensity of overall hacktivist activity comparable to today.

Three types of motivations that drive hacktivist threat activity

Figure 2: Three types of motivations that drive hacktivist threat activity

We note that hacktivists do not necessarily act according to a single motivation. It is common for such threat activity to fluctuate between different categories and even change in parallel to evolving group dynamics. As a result, understanding the motivations behind hacktivist threat activity requires contextual analysis conducted over time.

The Medium Is the Message: Hacktivists’ Promotion of Strategic Messaging Enables Actors to Conduct Information Operations

Influence is a central component of hacktivists’ attacks and hacktivism often aligns in function with covert information operations, which involve the use of deceptive tactics to manipulate the information environment. Through strategic narrative promotion enabled via hacktivist personas, operators can maximize the real or perceived impact of attacks or gain attention to advance their agendas. Mandiant considers activity to be hacktivism when the actor’s claims directly state or imply that their intent is political or social activism and involve a combination of three key tactics: persona development, tailored messaging, and often disruptive cyber activity. Notably, these tactics are critical in enabling hacktivism to achieve such influence. While there are many factors likely contributing to hacktivism’s resurgence as previously noted, the in-built mechanisms to communicate messages and obfuscate their identities is likely part of the reason why hacktivist tactics are appealing to actors with a range of motivations.

Elements of hacktivism threat activity

Figure 3: Elements of hacktivism threat activity

Actors leveraging hacktivist tactics use overt personas to obfuscate the identity of their real operators and, in some cases, to generate the impression of organic public support for a given issue or event.

The hacktivist personas promote their messaging most often via direct claims or to persona-affiliated online assets such as on social media or actor-owned sites. The meaning can also be embedded in the attack itself, for instance, via the distribution of “tainted leaks” that feature altered or false information or conducting massive DDoS campaigns in parallel to geopolitical or cultural events. Strategic targeting and other high-profile claims also help groups increase the likelihood of receiving mainstream media coverage. 

Mandiant emphasizes the importance of carefully analyzing groups’ messaging, claims, and any independent evidence available before drawing conclusions about an actor’s motivation, capability, or efficacy, since hacktivist tactics incentivize such actors to inflate the impact of their actions and make otherwise inaccurate or wholesale fabricated claims. A proper understanding of hacktivist personas and the impact of their actions requires consistent analysis over time and in context of communications with other actors. In some cases, obtaining conclusive evidence is not possible.

Geopolitically Motivated Hacktivists Often Advance Strategic Objectives from Nation-States

Given the inherent overlap between components of hacktivist tactics and information operations, geopolitically motivated hacktivist actors often help advance strategic objectives from nation-states. Although in most cases the hacktivists likely operate independently, we have also uncovered recent instances of actors with strong links to state-sponsored cyber espionage groups. 

Geopolitically Motivated Hacktivists Linked with Nation-States

Some nation-state-sponsored actors have created hacktivist cutouts or established links with hacktivist personas as a front for their own activities. Hacktivist personas provide such actors with a mechanism to spread messaging that would otherwise be covert action but with a veil of plausible deniability for their cyber threat activity. In such cases, hacktivist messaging can help to draw attention to specific narratives or even influence real life events resulting in physical consequences, while the plausible deniability from using these cutouts expands the threat to both direct and third parties associated with any given event or issue. Hacktivist personas also offer well-resourced actors the ability to develop and/or leverage persistent assets and hacktivist brands that increase the likelihood of their messaging reaching the desired target audiences.

  • In 2024 we released a report describing how Russian military group APT44 (also commonly known as Sandworm, FROZENBARENTS, and Seashell Blizzard) cultivated hacktivist personas as assets to claim responsibility for a series of wartime disruptive operations and to amplify the narrative of successful disruption. 
  • Public sources have also indicated nation-state sponsorship for hacktivist groups such as pro-Iran CyberAv3ngers, which the U.S. government has linked to the Islamic Revolutionary Guard Corps (IRGC) and pro-Israel “Gonjeshke Darande” (Predatory Sparrow), which the Iranian government has attributed to Israel.
  • As early as 2014, an iconic attack targeting Sony Pictures Entertainment illustrated nation-states’ leveraging of hacktivist brands to engage in cyber threat activity. The attack, in which a false hacktivist front called Guardians of Peace (#GOP) wiped Sony’s infrastructure and leaked a large volume of proprietary information, was attributed by the U.S. Federal Bureau of Investigation (FBI) to the North Korean government.

Geopolitically Motivated Hacktivists That Likely Act Independently

Although many of the recently active high-profile hacktivist groups we track explicitly describe their activity as supporting the interests of a nation-state, these pledges of allegiance do not necessarily mean that all such groups are linked to nation-states. We have also recurrently observed hacktivist groups that appear to act independently, but guide their operations with interpretations of the political rhetoric and policy objectives communicated from the leaders of the nation-state or political groups they support. In this case, while the threat activity may not be directed by national leadership, it still serves to advance its specific objectives.

  • For example, on June 18, 2022, Lithuania imposed a ban on the rail transit of goods subject to European sanctions to the Russian far-western exclave of Kaliningrad. Following the imposed ban, pro-Russian hacktivist groups announced attacks on Lithuanian entities across multiple sectors after Russian leadership warned there would be consequences from Lithuania’s action. The attacks continued until both countries reached a consensus. 
  • In some instances, we have observed campaigns that can last for extended durations or be revived by different groups over time. Such is the case of repetitive spikes in hacktivist activity that we often observe in the Middle East associated with holidays such as Quds Day or the recurrent #OpIsrael, which has grown since at least 2013 to involve all sorts of hacktivist activity targeting Israel every year.

OpIsrael DDoS activity between August 2023 and April 2024

Figure 4. OpIsrael DDoS activity between August 2023 and April 2024

Outlook

Despite some resemblance to the original hacktivist groups that first emerged over a decade ago, the current wave of hacktivism exhibits distinct characteristics that are constantly evolving. However, the dynamic of how this new generation of hacktivism interacts with and relies on multiple components of cyber threat activity is complex and has been poorly articulated by current analysis. Modern hacktivist tactics are employed by a variety of actors with multiple motivations and rely on an array of techniques associated with cyber intrusion and information operations. Each hacktivist persona adopts its own set of techniques and operates in a different way, either to support their own ideology, influence geopolitical events, or to gain financial benefits. 

Defenders must proactively seek to understand how these groups operate and interoperate, which techniques they prefer or have had the most success with, and other components of their activity in order to build effective defenses and policies against these actors. A primary challenge to addressing this threat is that hacktivist actors use techniques from different domains, blending together methods that the security community often has tracked separately and differently. We intend to address this challenge in a follow-up blog post. 

For additional guidance on common mitigation strategies to protect from this and other types of threat activity, please refer to the following documentation:

  • Proactive Preparation and Hardening to Protect Against Destructive Attacks
  • Linux Endpoint Hardening to Protect Against Malware and Destructive Attacks
  • Distributed Denial of Service (DDoS) Protection Recommendations 

Appendix: Common Cyber Disruption Techniques Employed by Hacktivist Actors

Technique

Description

Distributed Denial of Services (DDoS)

Attack that attempts to overwhelm victim infrastructure and disrupt service.

Hack & Leak

Attack directly leveraging, or otherwise benefiting from, traditional intrusion capabilities to covertly obtain and publish exfiltrated materials in a manner intended to influence target audiences. Leaks may also be used to disseminate altered or forged documents. Actors may also “leak” documents obtained through alternative means while falsely claiming successful intrusion operations. 

Website Defacements

Actors compromise a website and modify or replace its landing page with content intended to influence target audiences. Website defacements are a common tactic used by hacktivists.

Doxing

Actors disseminate personally identifiable information (PII) of a victim; disseminated information may not necessarily have been collected through data breaches or other intrusion activity. In most cases, doxing does not result in high impact to victims, with the exception of cases inciting to violence.

Network Intrusion

The attacker gains access to a specific network and either offers access or announces further disruptive activity. This includes, for instance, accessing user interfaces for industrial control systems and modifying parameters that may result in physical damage.

Source: Original Post