Hacktivism resurges – but don’t be fooled, it’s often state-backed goons in masks – Source: go.theregister.com

Feature From triggering a water tank overflow in Texas to shutting down Russian state news services on Vladimir Putin’s birthday, self-styled hacktivists have been making headlines.

But don’t let the Guy Fawkes avatars fool you. Today’s “hacktivists,” especially those going after critical infrastructure, often have less in common with just the digital vandals of the Nineties and Naughts than with government-backed cyber operators. Threat intel analysts say their tactics, targets, and timing suggest something calculated, and far more connected to nation-state interests.

These are sophisticated groups that are now doing things that are destructive

Earlier this year, operational technology cybersecurity firm Dragos revealed that in April 2024, pro-Ukraine hacktivist crew BlackJack compromised a Moscow municipal organization that maintains the city’s communication system for a gas, water, and sewage network. After pwning routers and sensor gateways, the gang deployed OT-specific malware dubbed Fuxnet, which Dragos reckons is only the eighth-known industrial control system malware in existence.

While there haven’t yet been large-scale destructive attacks (in Western countries, at least) that can be traced back to hacktivists, many of today’s groups have ties to government intelligence agencies and growing connections to offensive cyber units. It’s all keeping network defenders on their toes and giving them a reason to keep tabs on these politically and socially minded crews.

And that isn’t to say all of today’s hacktivists are g-men. Some of these netizens may well indeed be independent activists graduating from defacing websites and going after larger targets, spurred on by global political change. Experts we’ve spoken to, though, point to a more organized, underhand edge to modern hacktivism.

“The things that are happening now under the guise of hacktivism – perhaps they are independent or perhaps state-sponsored, but at a minimum states are intentionally looking the other way – these are sophisticated groups that are now doing things that are destructive,” Evan Dornbush, a former NSA computer network operator, told The Register.

“There’s a number of examples where groups have gone after infrastructure, water and water treatment facilities, energy utilities,” he added. “These are not just concerned citizens, cheering on their country. These are deliberately used as mechanisms that provide states with plausible deniability.”

These are deliberately used as mechanisms that provide states with plausible deniability

This hacktivist resurgence may correlate with Moscow’s invasion of Ukraine in 2022, with individuals on both sides of the now-defunct “brotherhood” of Russian-speaking cybercriminals wading in. Groups including Killnet, Anonymous Russia, and Anonymous Sudan sprung into action in support of the Kremlin’s interests.

Most of these early attacks, aimed at Ukraine along with its European and at-the-time American allies, while annoying, weren’t very successful. They largely consisted of “nuisance-level” DDoS assaults targeting critical infrastructure sectors, flooding public-facing websites with bot traffic.

‘It is scary’

“One of the notable characteristics of hacktivism: It’s rarely about impact so much as it’s about visibility,” Google Threat Intelligence Group chief analyst John Hultquist told The Register. “The claims oftentimes outstrip reality.”

This doesn’t mean hacktivist attacks have zero impact, he added. “It could be psychologically impactful,” Hultquist said. “It could affect consumer trust in a business or a government agency, or trust in a process like the elections.”

The series of attempts by CyberArmyofRussia_Reborn1 to disrupt Texas water facilities via remote-management software in early 2024 had this type of impact. Only one known intrusion caused a system malfunction, which led to a water tank overflow. They didn’t poison the water supply or prevent people from turning on a faucet in their homes and drinking clean water, as is always the fear in a destructive attack against this type of critical infrastructure. 

Later analysis by cybersecurity researchers suggested the water facility intrusions may have been carried out by Russian military hackers posing as hacktivists.

This is a line that has been crossed. It’s something we worry about

“It is scary,” Hultquist said. “That group, which I know had ties to APT44 [aka Sandworm] had actually broken something. I was taken aback. This is serious. This is a line that has been crossed. It’s something we worry about, and sometimes the danger is the psychological impact.”

Still, he added, state-sponsored or not, hacktivists are largely opportunistic, and typically look for low-hanging fruit.

Hultquist said he’s seen groups seize on opportunities to attack poorly secured websites or IT infrastructure “outside the lens of ideology, and then literally gone out and looked for reasons, after the fact, to publicly claim why they did it. So it’s important to take some of this, like, it’s important to take some of their ideological motives with a grain of salt. Oftentimes it’s more motivated by ego.”

Don’t make it easy for them

As discussed, this isn’t to say that all hacktivists are government-backed groups in sheep’s clothing. These groups, and their motivations, run the gamut. Plus, as is often the case with most things in life, modern technology makes their lives easier.

DDoS-for-hire sites (aka booters or stressors), initial access brokers selling stolen network access that other criminals can use to break into computers, and the broader commoditization of cybercrime lowers the barriers to entry for miscreants wanting to pull off all types of cyberattacks. Yesteryear’s DDoSes and the defacement of pages are table stakes; it’s a starter level for modern hacktivism, rather than the limit.

“The skill sets vary across hacktivist groups,” SecurityScorecard senior penetration tester David Mound told The Register. “But the benefits they have nowadays is that there’s dark-web services for hire, and they can be fairly cheap and accessible for non-technical people to use.”

Considering criminals can buy a DDoS attack on the dark web for as little as $10, “it’s financially accessible, it’s technically accessible,” Mound noted. “The business of badness is becoming easier.”

On the opposite end of that spectrum are top-tier, government-backed crews clearly posing as hacktivists. They use attention-grabbing attacks to target critical infrastructure or as a smokescreen for espionage and other stealthy cyber activities.

“There are hacktivists that are simply not hacktivists,” Hultquist said. “They claim they are motivated by ideology, and the reality is they are simply following orders.”

As far back as 2014, we saw the infamous Sony Pictures Entertainment hack, during which what’s strongly suspected to be North Korea, purporting to be a hacktivist group called Guardians of Peace, wiped Sony’s infrastructure and leaked information. 

More recently, Google linked Sandworm, the offensive cyber arm of Russia’s GRU military intelligence unit, to the cyberattacks on US and European water plants along with other wartime disruptive operations. But they used hacktivist personas on Telegram channels XakNet Team, CyberArmyofRussia_Reborn1, and Solntsepek, to publicize the illegal activities and share stolen data – thus masquerading as an independent hacktivist effort.

In late 2023, the FBI, NSA, CISA and other federal agencies blamed CyberAv3ngers, an Islamic Revolutionary Guard Corps (IRGC)-affiliated group, for breaking into “multiple” US water systems across America.

But we should add: this didn’t take much sophistication on the part of the hackers. According to the feds, the crew likely broke into US-based water facilities by using default passwords for internet-accessible programmable logic controllers.

This same group, however, was later spotted using custom malware called IOCONTROL to attack and remotely control US and Israel-based water and fuel management systems.

Despite having the same – or maybe sometimes even more – access to the industrial side, they’re not locking up systems

“Despite having the same – or maybe sometimes even more – access to the industrial side, they’re not locking up systems. They’re not even changing the admin passwords or putting in admin passwords, and oftentimes, these systems don’t even have passwords,” ABS Consulting director of industrial cyber Ron Fabela, an ICS security expert, told The Register. “After they make their videos, they’re not doing anything to effectively prevent the access or visibility to the operational assets.” 

As to why they aren’t taking that next step into OT disruptions, only the criminals have the answer. But it could be that, even if these crews are what Fabela calls “government-ignored” rather than state-sponsored hackers, a destructive cyber attack “may still bring down some attention that they’re not looking for from their governments,” he opined.

• Malware variants that target operational tech systems are very rare – but 2 were found last year
• Anonymous Sudan isn’t any more: Two alleged operators named, charged
• Israeli hacktivist group brags it took down Iran’s internet
• Global cops power down world’s ‘most prolific’ DDoS dealership

“The other speculation is that these are not one-to-many attacks,” he added. “They’re not gaining access to an enterprise and then popping 20 boxes and doing exfiltration. They’re finding a single system, and so it may not just be worth their time to go and lock up a single HMI.”

All of the network defenders that The Register interviewed for this story agreed that law enforcement actions against booters and other DDoS services, such as the ongoing Europol-coordinated Operation PowerOFF, are a step in the right direction – despite the resurgence of some botnets thought to have been dismantled.

‘Demystify’ the not-so-impressive attacks

But according to Fabela, government security alerts and private-sector blogs about hacktivists should do their part to “demystify” these groups’ operations by linking to the source materials. Hacktivists post videos of their exploits on Telegram and other social media channels and brag about their activities. Yet so many advisories that mention one of these groups’ Telegram channels don’t include a link to the video or post.

“This made me furious,” Fabela said. “They [the hacktivist groups] are publicly putting this out there. There’s nothing to protect other than if I was a researcher and I wanted to beat other researchers to the punch, then I wouldn’t give them my list of Telegram pages that I follow. So then it comes down to ego.”

To this end, he’s compiled a public list of Telegram accounts that have posted attacks against critical infrastructure.

“The more we demystify the source for this data, and then also devalue or demystify their abilities – at least the abilities that they’re showing to the public – that opens up room in the community to treat it like an immune response,” Fabela said, adding it’s akin to getting a cold.

“This isn’t great, but it didn’t kill me,” he explained, “So how can we allow this now to have the impact next time. It’s already happened, let’s try to utilize it for good, because it would be foolish of us to think that it won’t become impactful, or that we won’t have even an accidental impact with these groups online, pressing buttons. I consider us lucky that we’ve had a year of the same old, same old. Now let’s do something with it.” ®