Published: 26 Sep 2012
Ask Adam O'Donnell the difference between hacktivists today and those 15 years ago or more, and you won't get a simple answer. Technology has changed, social norms are different and political motivations are diverse.
"Back then there was less interest in the techniques of breaking into people's systems and exposing data that you see today," says O'Donnell, a noted antimalware expert and early hacker before he founded Immunet, which was acquired by security vendor Sourcefire. "Today it's like a decentralized religion; there's an ethos and anyone can label themselves of being part of it… and some groups are more bent in one direction or another, but they're all under the same value system: sticking a finger in the eye of the man."
Indeed, today's hacktivists – notably those affiliated with Anonymous – are slightly different than the original hacktivists groups, such as Cult of the Dead Cow (cDc). Experts say the cDc was more centralized, granting membership to individuals based on their skills. The cDc's aim mainly was to defend human rights and freedom of expression and later to get organizations to find and repair serious vulnerabilities. Members of cDc created a number of hacking tools beginning in the early 1990s from Back Orifice, a rootkit program designed for the purpose of exposing Windows flaws. A later creation called Goolag automated hacking queries via Google to make it easier to find serious website vulnerabilities. Now, hacktivists use a variety of automated tools, many shared by financially motivated cybercriminals, to detect website vulnerabilities and carry out distributed denial-of-service (DDoS) attacks. Unlike a cybercriminal whose intent is solely on making money, the ultimate goal of the modern hacktivist is to sully the reputation of a company for one cause or another, O'Donnell said.
" It's trying to show up someone up in the face of public opinion," O'Donnell says. "You may lose some data but then you will also have to deal with the seven-day news cycle. Therefore the impact is going to involve public relations more than if a breach was done by a cybercriminal that didn't say anything publicly about it."
Clearly, today's hacktivists with their assorted political and social purposes pose a different breed of attacker than the average cybercriminal. Security experts say hacktivists have caused widespread damage to the infrastructure and reputation of organizations they target, making it critical that companies have a well-organized response plan in place for the hacktivist threat.
MAJOR BREACH FACTOR
Hacktivists had a tremendous impact on data breaches in 2011, according to the 2012 Verizon Data Breach Investigations Report, accounting for two-thirds of all the stolen records documented by the Verizon team. Most of the victims of the attacks were large businesses, says Bryan Sartin, vice president of the Verizon RISK Team and co-author of the report. The relative impact is far less if you remove the largest companies from the DBIR, Sartin said. About 96 percent of organizations analyzed by Verizon were attacked by cybercriminals motivated by financial and personal gain.
Verizon has identified two basic hacktivist types: Individuals who attempt to bring down or deface a website and individuals who pull off far more complex attacks using sophisticated tools. "It is surprising to see how far we've seen some hacktivists go to cover their tracks, sometimes successfully penetrating a network again and again," Sartin says.
Fifty-eight percent of all breached organizations knew in advance that they were going to be attacked, Verizon found. Often hacktivists leave broadly worded warning messages in a forum, on a website or a social network, such as Twitter, Sartin says. In almost every one of the cases, a DDoS attack was used as a diversionary tactic.
Anonymous and its associated group Lulzsec have gotten the most notoriety for recent hacktivism. The group doesn't have a known leader. Anyone with a computer can affiliate him or herself as an Anonymous hacktivist, says Toralv Dirro, McAfee Labs' EMEA security strategist..
Anonymous had its roots in the Antisec movement in the early 2000s. Some experts claim that Anonymous began on the Internet image forum 4chan where a group of anonymous posters decided to use their power to protest the lack of black characters on Habbo Hotel, a virtual social network. Although its goals have been vague – the group has targeted pedophiles and railed against Scientology – it also has branched out into libertarian ideals, Dirro says. Its primary activity seems to be to respond to any attempt to regulate the Internet, he says.
The group's actions have caused widespread damage. Members of LulzSec are responsible for hacking into Sony Pictures in 2011, compromising user accounts and forcing Sony to halt its gaming platform until it could contain the breach. The group's members also gained access into the network of HBGary Federal, stealing research and email, including those of its co-founder and noted malware expert, Greg Hoglund. At least 65,000 email messages were posted The Pirate Bay file sharing service.
DDOS: THE WEAPON OF CHOICE
Verizon's Sartin and other security experts agree that hacktivists typically carry out DDoS attacks to either disrupt a website's operation or obscure far more nefarious attack. While the IT security team deals with the flood of malicious traffic, other hacktivists are busy trying to gain access to another part of the network in an attempt to steal data. Jeff Lyon, president of Los Angeles-based DDoS mitigation firm Black Lotus, says hacktivists typically use fairly standard DDoS attacks using the popular open source Low Orbit Ion Cannon tool. Lyon says the power of social networks has helped groups with similar political views to use their power collectively to bring down websites.
"If you are making a statement against a company or an organization, you can use a medium like Twitter or other social media to generate opinions and attack a target as a collective," Lyon says. "Anyone can launch a low-orbit ion cannon attack and it's difficult for law enforcement to track down individuals."
In 2009, hacktivists are believed to be responsible for disrupting some U.S. and South Korean government websites, taking them offline for hours. The attackers also brought down the websites associated with the Federal Trade Commission and the U.S. Department of Transportation (DOT) as well as some South Korean government sites. Other high-profile websites were targeted, including the New York Stock Exchange (NYSE), the Nasdaq and the Washington Post. While the attacks took out the websites, the impact was more of a nuisance, according to Lyon and other DDoS experts.
Hacktivists associated with Anonymous claimed responsibility for temporarily disrupting MasterCard's corporate website in retaliation for blocking payments to WikiLeaks and its founder Julian Assange. PayPal and other credit card providers were also targeted. The low-level, easy-to-contain attacks typically involve groups of individuals, but other, more sophisticated denial of service attacks exist, Lyon says. An individual hacktivist can launch a more complex DDoS attack by renting a botnet to control 100,000 systems or more and launch an attack against an individual website.
Organizations have several means of mitigating the risk of a denial of service attack, including buying an appliance to address the issue or contracting with a service provider that specializes in DoS prevention. The market for DDoS appliances and services has matured, giving both large and small and midsize businesses the ability to mitigate the threat. Still, most attacks cause an initial disruption until the service can weed out the bad traffic, Lyon says.
LAW ENFORCEMENT CRACKDOWN
Law enforcement is beginning to make headway in jailing a number of high profile hacktivists and other individuals who align themselves with major hacktivst groups.
In March, federal authorities charged six members of Anonymous and its offshoot hacking groups in connection to the attacks on Sony and HBGary Federal. Also in March, police arrested members of the CabinCr3w, a group that affiliates itself with Anonymous. The individuals are suspected of hacking law enforcement related websites. Members of a number of groups in the UK and Russia were arrested for their role in denial-of-service attacks against the UK's foreign intelligence organization, MI6. Individuals suspected of having ties to attacks carried out by Anonymous were arrested in June in France, Belgium, and Québec, according to McAfee, which is one of a number of security firms tracking the hacktivist movement. The security firm tried to paint a picture of the impact hacktivists are having in a report, "Hacktivism: Cyberspace has become the new medium for political voices" (.pdf).
Sartin says recent arrests have resulted in fewer organized hacktivist attacks. However, the threat is still serious.
"Hacktivism is something that is here to stay," Sartin says. "These are individuals who are mainly unaffiliated with any one group, taking advantage of the fact that law enforcement doesn't have the bandwidth to go after them."
Hacktivist attacks gain widespread media attention, which has fueled interest in security technology and services to address it, he says.
"Activists are just using cyber as a way to express an opinion and I think they have had quite an impact," McAfee's Dirro says. "It's interesting to see that every day companies are getting hacked from nation-state sponsored actors, but what finally makes them take action are the hacktivism attacks in the news."
BUILDING A DEFENSE
So how do you defend against a threat actor that isn't clearly identifiable, has an unknown number of members and a loosely defined set of principles?
Experts say the high-profile nature of hacktivist attacks makes planning for a hacktivist related breach essential. Many security vendors offer threat feeds, which can alert security teams when a new threat is detected and provide guidance on defense mechanisms. Security best practices – from keeping software updated to maintaining an intrusion prevention system and proactive log monitoring – prevail in defending against any security threat.
But post-breach response, which includes communicating with authorities and customers should be done carefully, says Ellen Giblin, an attorney that specializes in privacy and data protection at the Washington DC-based consulting firm, Ashcroft Group. Hacktivists have raised the stakes, making breach response and disclosure a messy process.
"It has delivered up a whole other avenue and reason for why folks make you a target," Giblin said. "It's getting more and more interesting trying to figure out how to capture the threat, understand it, monitor it and how to defend against it."
Organizations retooling their incident response plans should involve its legal team, a best practice that is sometimes a missed opportunity, she says. The company's legal team can help navigate through breach disclosure rules and other regulatory compliance mandates. Targeted organizations also need a way to counter the negative publicity following a hacktivist attack, she says.
Overall, incident response is immature in most organizations, says Rick Holland, a senior analyst at Forrester Research. Holland, who is developing an incident response security model as part of his research, says organizations need to provide a way for responders to quickly communicate issues to decision makers. Larger organizations with business units distributed around the world need to do a better job empowering incident responders, so they can shut down servers and isolate problems.
"There's a fine line of having all the processes in place, but you also need to make sure the people on the ground and in the trenches can do what they need to do to put out the fires," Holland says.
Mature organizations have most incident response processes documented and everyone on the incident response team knows their role if a problem is detected, he says. Those organizations conduct incident response simulations annually with information security teams getting drilled more often.
Knowledge of the threat landscape and the threat actors that are most likely to target the company is extremely important in incident response planning, according to Holland. Organizations in the financial and government sectors are the most proactive about hacktivism, he adds.
"I have clients who create fake Twitter and IRC personas to do human intelligence collection or are downloading and parsing through things so they know if an attack is imminent," Holland says. "In the financial services world, hacktivsts might be one of their top threat actors."
About the author:
Robert Westervelt is news director of SearchSecurity.com. Send comments on this article to firstname.lastname@example.org