- Email: [email protected]
Hacktivism goes hardcore
FEATURE
Hacktivism goes hardcore Tracey Caldwell, freelance journalist Tracey Caldwell
Hacktivism is no longer driven by well-meaning amateurs or bored teenagers, if it ever was. The nature of hacktivism is changing and cause-based activism typified by the Anonymous collective is being replaced by heavy-duty, politicised attacks by the likes of the Syrian Electronic Army and ISIS – or even attacks carried out by nation states. Hacktivism intended for social and political protest can have unintended (or intended!) impacts on organisations of all sizes caught in the cyber crossfire. “Hacktivism has lost its innocence,” writes John Leyden in The Register.1 “The party’s over. And we’ve woken up not just with a hangover, but with what’s arguably an increasingly militarised Internet on multiple fronts.”
“The threat is no longer having access to your website temporarily blocked but having your data breached, website vandalised and reputation destroyed” According to David Emm, principal security researcher at Kaspersky Lab: “Technology is woven into the fabric of our lives now, so it’s no surprise to find the real world reflected in the cyber world. This can include those who want to make money, steal data, disrupt services, deface resources or simply make a social and political point. I don’t think this will bring an end to casual web defacements, or the use of the web for social and political protest. But the same tactics are likely to be used by attackers
James Maude, Avecto: “Recently the landscape has become much darker.”
12
Network Security
of all kinds. In this sense, it’s hard to tell whether an attack can be defined as ‘hacktivism’ (ie, social and political protest), or if it’s part of a wider campaign.”
Origins of hacktivism James Maude, security engineer at endpoint security software firm Avecto, points out that hacktivism originated as a means of semi-peaceful political protest, with Anonymous playing a key role in disseminating information during the Iranian elections of 2009. This evolved into digital blockades where large groups of protesters flooded major websites with traffic, preventing legitimate access as a protest against a perceived injustice. “More recently, however, the landscape has become much darker with extremist groups mounting aggressive campaigns to spread fear and propaganda,” he says. “The threat is no longer having access to your website temporarily blocked but having your data breached, website vandalised and reputation destroyed.” The threat landscape is always evolving and hacktivism is no stranger to change. In an era where technology is pervasive and every organisation in the world depends on the use of technology to fulfil business objectives, attacking their platforms and systems creates severe disruption and can even bring businesses to a halt. Ramsés Gallego, international vice president of ISACA (the independent association for professionals involved in information security, assurance, risk management and governance) and security strategist
and evangelist with Dell Software explains: “Hacktivism is a new way of protesting, it isn’t going away – on the contrary – and it has been confirmed as one of the many threats that companies, organisations and governments have to consider as part of the threat landscape. Hacktivism is a global phenomenon and a way of not only gaining visibility, but creating harm. Some see it as a way of protesting but we have to be aware that when motivated by political reasons or based on religious motives, protests can have far-reaching and unforeseen implications.” He adds: “I think we have to realise that, in a globalised world, more threats and attacks can come from any part of the globe. For example, a group may decide that it disagrees with the green policy of a multinational and then decide to air these grievances by hacking or infecting said company’s corporate website.” Security firm iSIGHT Partners defines hacktivism as cyber threat activity that is motivated by ideology or rationale, whether religious, social, or political, and has the objective of either directly altering the actions or opinions of an audience, or of enacting justice. Joe Gallop, strategic lead, hacktivism threat intelligence at iSIGHT Partners says: “Hacktivism as threat source is often mistakenly confined
Ramsés Gallego: “Protests can have far-reaching and unforeseen implications.”
May 2015
FEATURE to Anonymous-affiliated hackers, or to grassroots groups that hold to conventional anti-security and anti-establishment ideologies. Although the Anonymous movement during 2010-12 was a watershed for both the concept of hacktivism in general, and for certain hacktivist methodologies in particular, the security industry must recognise hacktivism’s evolution in the years since the dispersal of the Anonymous collective’s figurehead faction, LulzSec/AntiSec.”
“Some see it as a way of protesting but we have to be aware that when motivated by political reasons or based on religious motives, protests can have far-reaching and unforeseen implications” He adds: “The sophisticated LulzSec/ AntiSec faction, strengthened in influence by sheer numbers in the broader Anonymous collective, demonstrated to the world how impactful hacktivist activity could be. In the two years that followed AntiSec’s disbandment, in March 2012, iSIGHT Partners continually advised that national governments would not ignore the potential of using hacktivism as a tool to achieve their own social, political, and geopolitical objectives.” He adds that in his view, hacktivism has not become more politicised – it is simply that effective hacktivist activity is being driven by a different element of the political system. “We have already observed numerous instances in which hacktivist-style, publicly disruptive attacks have been conducted by groups potentially – and in some cases almost certainly – backed by nation state directives. Attacks conducted by the al-Qassam Cyber Fighters, Anti WMD Team, Parastoo, Syrian Electronic Army and Cyber Berkut are good examples. This is a growing trend that has shown no sign of decreasing over the past two years.”
Changing spots Many observers believe the nature of hacktivism changed following the arrests of individuals involved in Anonymous,
May 2015
Joe Gallop, iSIGHT: “LulzSec/AntiSec demonstrated to the world how impactful hacktivist activity could be.”
many of them teenagers, and the turning by the FBI of Hector Xavier Monsegur, an unemployed 28-year-old Puerto Rican living in New York.2 Monsegur was revealed to be Sabu, the leader of the LulzSec hacktivists who were behind a number of cyber raids against US corporations, including News Corporation, the intelligence consultancy Stratfor, UK and US law enforcement bodies and the Irish political party Fine Gael.3
“Hacktivism has shifted from a liberal voice protesting about injustice to a radical one denouncing and attacking others. Hacktivism has become a marketing and recruitment tool to many radical groups” Maude at Avecto explains: “The public arrest and prosecution of a number of high-profile hacktivists has served as a shot across the bow to warn off wellmeaning amateurs thinking of engaging in hacktivism. As more extremist organisations turn to hacktivism, and the media talks of cyber warfare, ordinary citizens are reluctant to end up branded as terrorists. Hacktivism has shifted from a liberal voice protesting about injustice to a radical one denouncing and attacking others. Hacktivism has become a marketing and recruitment tool to many radical groups. A compromised Twitter account can be used to spread a message and make an organisation seem far more powerful and far reaching than it actually is; this is a powerful political weapon.” He points to the case of Geoffrey ‘Jake’ Commander, a 66 year-old British rock guitarist in the Electric Light
Orchestra (ELO), as a good example of why well-meaning amateurs are being deterred. “The musician allegedly joined the 1,000 Anonymous members’ DDoS protest attack against MasterCard in 2010, running the LOIC (Low Orbit Ion Cannon) tool on his computer to amplify the attack for three hours. He was arrested three years later and faced up to 10 years in federal prison for his part in the attack which cost MasterCard $1m. These kind of prosecutions have raised the public’s awareness of the legal implications of hacktivism and resulted in a shift to only those already operating outside the law becoming involved.” Mark James, ESET security specialist, says: “I think the arrests of the Anonymous members made some people sit up and listen to the authorities stating that they will catch and find them. It’s easy to believe that you are uncatchable when working as a collective doing something you believe is right; but once your real friends or members start getting caught then it’s a completely different matter.
Real-world wars go online In recent months, hacktivism has shape shifted and taken real-world wars online. “The game changer, especially with regards to things like the Syrian Electronic Army(SEA) and ISIS is they have found that there is a large amount of publicity that can be gained from these types of attacks,” says James Pledger, director of research at RiskIQ. With ‘how-tos’ on hacking accessible all over the Internet in the form of videos and articles, the fact that ISIS has learned how to hack high-profile websites to make its voice heard is not surprising, according to Yuval Ben-Itzhak, CTO at AVG Technologies. He believes this form of cyber terrorism – driven by politically motivated conflict – is neither new nor unique. “For years we’ve witnessed a close correlation between tensions in the Middle East and the number of cyber-attacks detected in conflict zones,” he says. “Political conflicts between Turkey, Syria, Lebanon, Israel, Egypt and Palestine have also regularly triggered waves of
Network Security
13
FEATURE
Yuval Ben-Itzhak, AVG Technologies: “Political conflicts have regularly triggered waves of cyberattacks.”
cyber-attacks, such as website defacements and denial of service attacks. To name a couple, back in 2011 the Harvard website was hacked by Syrian protesters and, the year before, Turks hacked Israeli Facebook accounts over the Gaza blockade incident.” The focus on cyber terrorism today is less about the threat landscape changing, but more about our increased attention to it, Ben-Itzhak believes. “ISIS’ high profile status means we are acutely aware of their online actions through the media, particularly when targets include household names like TV5Monde,” he says. “In times of conflict, these kinds of cyber-attacks will continue and we can only expect to see more online activity from groups like ISIS in the near future. Consumers and businesses must make sure they protect themselves in cyberspace once terror or political conflicts arise.”
Anonymous – a spent force? In recent months Anonymous has mounted operations against ISIS and Russian leader Vladimir Putin, but many commentators believe these do not seem to have had as much of an impact or gained as high a profile as in the past. “Anonymous is certainly a spent force at this point, and there is only slim opportunity for its revival,” says Gallop. “The level of broad-based public participation inspired by unsophisticated Anonymous-affiliated groups has consistently decreased as other actors begin to recognise these groups’ lack of notable success toward objectives. Although some emerging groups may initially inspire participatory activity through the use of well-crafted propaganda, inciting the involvement of large numbers of rank-and-file actors will almost certainly require a reputation built on consistently proven, successful attacks against highprofile entities over an extended period of time. This has not been seen since the disbandment of AntiSec.” In Maude’s view, when Anonymous targeted big corporations, it had clear targets and objectives, such as a website or office. “As their focus has turned to ISIS and Putin, these targets aren’t as clearly defined,” he says. “Their adver-
saries operate in a decentralised and distributed manner, so even if you can take down one social media account, hundreds more will continue to spread the message. So even though they are certainly not a spent force, the impact of their recent operations is not as obvious or clear cut as in the past.” He adds: “Recent prosecutions will have made them more cautious and forced a more covert approach to their operations. In reality modern hacktivists do not require large numbers of members – just a select few skilled ones. The lack of appetite among the general public for hacktivism will not have diminished their potential as techniques have moved on from large-scale DDoS attacks.” Michael Paling, cyber-security recruitment lead, Cornucopia ITR, says: “The relatively high-profile arrest of Sabu was the beginning of the end for Anonymous as we knew them. The organisation began with a strong, centralised leadership – but this eventually gave way to an ‘allows all comers’ mentality. Following the Wikileaks incident, it is no wonder that the leadership has quietly crumbled – it’s immensely difficult to simultaneously irritate every government in the world and continue with no consequences. Snowden and Assange, for example, are living lives of exile. They have only avoided jail by the immensely public nature of their efforts – Anonymous did not have that luxury and have faced different issues because of this.” He points out that Anonymous has an almost unique structure – it encourages all-comers to pursue social justice under the ‘Anonymous’ handle, this making it very difficult to destroy. “Anonymous is a movement, as opposed to a group. The movement defines itself with intangibility – similar to the French Resistance in WW2, or the Masons. So long as there are individuals willing to work under the ‘Anonymous’ handle, the group will remain an active force – albeit with differing levels of effectiveness,” he says.
Nation states Website defacement is one of the most common activities of hacktivists.
14
Network Security
As hacktivism evolves, there is increasing evidence that nation states and more well-resourced and organised forces are
May 2015
FEATURE using the techniques of hacktivism. RiskIQ’s Pledger says: “I believe that we have been seeing a large amount of hacktivism that has either direct or indirect support of nation states. In 2007 we witnessed a large amount of hacktivism targeted at Estonia. As people become more dependent on technology, the absence of these services can cripple business, government functions and simple things. The attacks in Estonia could be viewed as a dry run of some of the cyber-attacks that then happened prior to physical attacks that occurred in Georgia in 2008 and some of the actions that are happening in Ukraine more recently. While there isn’t any definitive attribution, it has very interesting timings and to most casual observers these events are somehow related.”
What we are seeing is countries that are preparing to combat cyber threat as they traditionally have prepared for full-scale military campaigns” Syria pioneered the public adoption of hacktivism for government interests, according to Gallop: “While there is some confusion as to whether the hacktivist group Syrian Electronic Army existed and was active before being sponsored by the state, there is no question that some level of support has been given by the state, and the SEA has openly admitted to cooperating with officials in the Assad regime.” In Gallop’s view this openness is one of the main differentiators between hacktivism serving Syrian government interests and hacktivism serving Russian government interests in the Ukraine conflict: “The primary pro-Russian hacktivist group, CyberBerkut, is likely supported by Russian authorities, but labels itself as a Ukrainian resistance group. This difference in openness illuminates the trigger points for each of these nations to sponsor hacktivist activity. Simplistically put, the Syrian regime is driven by the recognition that it is in an existential dilemma, and therefore the regime has no aversion to seeking
May 2015
the most direct route toward survival. On the other hand, the Russian authorities are driven by a much more nuanced desire for resource dominance and hegemony, resulting in efforts to subvert foreign governments and influence public opinion in surrounding nations, while maintaining plausible deniability. Similarly, we can identify tipping points for other rogue nations – Iran: inhibition of its elements of national power; North Korea: affronts to national honour – which can help us to anticipate potential future actions.” TK Keanini, CTO at Lancope, highlights the fact that, in general, nation state threat actors and hacktivists are very different in the way they operate. “The nation state actors never want to be discovered, and their activities never disclosed, whereas hacktivists are all about making headlines and being the loudest threat actor in the world,” he says. “These are not compatible and the only time a nation state threat actor wants to be known is when it helps them divert from some other activity.” Hacktivism is often suspected to be used by nation states as a cover for espionage, providing a ‘fall guy’ in the event an operation is detected, according to Maude. “It is well known that many nation states dedicate military units to cyber warfare, recruiting and training highly skilled individuals,” he says. “From the CIA to ISIS, most people recognise that the digital battlefield can be just as important if not more so than the physical one. Hacktivism provides a platform to discredit opponents, show prowess and spread political messages.” Of course it may be convenient for nation states to blame hacktivism for their actions. Attribution of an attack is often impossible. Anyone could hack a website, publish stolen data or hack an organisation’s social network account and claim it was done by ‘Anonymous’ or any other group. As Kaspersky’s Emm points out: ”This is one of the things that makes cyber-attacks viable for a wide number of groups. They are cheaper and easier than a real-world attack and it’s much easier to remain hidden.” The reality is that nation states have the benefit of being able to throw
TK Keanini, Lancope: “The nation state actors never want to be discovered.”
resources at cyber-attack in a way that amateur hacktivists do not, enabling them to mount attacks on a different scale. Amateurs rely on methods such as exploiting flaws in coding, circumventing encryption, or phishing emails, because the financial and hardware implications of a brute force attack are beyond their capabilities. Paling at Cornucopia ITR says: “If a state puts its resources into a hack, it becomes immensely more difficult to defend against.” However he points out that poor security can even enable amateurs to carry out large-scale attacks: “The scale of the hacks on Sony was largely due to their cyber-security structure – their head of department was promoted up from marketing, and the skills of their professionals were either undervalued or ignored. The method of this attack originally landed the blame on North Korea – specifically because of the scale, and effectiveness of the attack. This was a straight breach, and not an avoidance of security protocols.” Governments are taking the threat seriously. “What we are seeing is countries that are preparing to combat cyber threats as they traditionally have prepared for full-scale military campaigns – just look at the United Kingdom and United States’ joint cyber-security initiative earlier in the year, and the British Army’s latest creation of a full-fledged cyber warfare dedicated regiment in West Berkshire,” says ISACA’s Gallego. He adds: “We are also increasingly experiencing nation states effectively running virtual ‘black ops’ missions too, but just who and where it’s more difficult to say. The fact of the matter is, we are living in times where a company can attack a company, a nation can attack a nation and any other combination goes too. It’s
Network Security
15
FEATURE this complex combination of actors that makes the space so truly disruptive.”
Tools and techniques Hacktivist tools and techniques are becoming more sophisticated too. “Increasingly, we are seeing blended threats that actually combine different approaches, meaning a well-prepared attack now combines several angles, such as email or a USB drive, and then escalates privileges together with a phone call that triggers some social attack,” says Gallego. “The majority of these attacks are now well-planned and that should send the message to us as a society that with the rapidity and complexity of these new threats, awareness is of utmost importance.” Maude has seen techniques evolve from causing minor inconvenience by disrupting traffic to a website, to inflicting serious reputational damage by vandalising the website and leaking data. As hacktivism is no longer part of a peaceful protest but a weapon in a digital war, the tools and techniques used are much more aggressive and designed to inflict damage. “Often these attacks are not sophisticated,” says Maude. “Take the TV5Monde example, where ISIS supporters defaced the website and social media feeds of the French TV channel. The attack was initially thought to be very sophisticated but it later transpired that simple shared passwords were to blame after the network broadcast footage with the passwords written on Postit notes in the background.” This is a common theme as hacktivists turn to social engineering and phishing attacks to harvest credentials and gain access to an organisation. Once inside, they try to gain access to as many systems as possible to maximise the damage inflicted. Keanini points out: “Most of the threat actors out there today no longer have to be sophisticated in exploitation and evasion, because there are tools and services for sale in the dark markets that they can resource. This has changed the game significantly for all threat categories including hacktivism. This is the biggest evolutionary step in the past five years.” Paul McEvatt, lead security specialist and cyber consultant UKI at Fujitsu 16
Network Security
adds: “It’s very easy now to rent DDoSas-a-service with such platforms available on the standard and dark web for relatively low prices. Figures from DDoS Provider reports suggest that this hasn’t slowed down and there have also been reports of insecure home routers being compromised to form botnets.”
Preparing defences It is a challenge for organisations to defend themselves against hacktivism and respond to the ever-evolving threat. Defending an organisation from the threat of hacktivism is a complex problem and requires protection from threats from both external sources as well from within the organisation. In addition, established approaches to information security theory and practice do not always work, in the view of Luke Forsyth, a vice president in the Information Management Services practice at AlixPartners, LLP.
“It’s very easy now to rent DDoS-as-a-service with such platforms available on the standard and dark web for relatively low prices” “Traditional defences are focused on preventing external threats motivated against the organisation, most of which are usually economic or government sponsored and therefore reasonably able to be modelled, if not predicted,” he says. “But with hacktivism, assets that would not otherwise be targeted may be the subject of attack. Similarly, internal information security threats are usually the result of mistakes and, even where deliberate, have been motivated by economic or other situations that can be modelled if not predicted. However, the motivations of hacktivism are largely political or religious and therefore volatile and both legally and technically difficult to predict.” Some organisations rely on background checking, but as Forsyth points out, in the famous examples of insider hacktivism, Manning and Snowdon, the individual concerned had been the subject of
extensive background checking. “Changes in the health, wealth or life-balance of a relative, friend or even acquaintance can significantly change our own outlook, and this is in addition to changes in our own lives. All of these changes can, as we have seen with Snowdon and Manning, be very hard to predict. There are controls and continuous background checking methods, but these can be invasive, expensive and can also impact agility in achieving organisational objectives.” Gallego at ISACA recommends that organisations should defend themselves on a number of different levels. “Certainly technology will help, but we should not forget that, at the end of the day, it is people that are operating these technologies,” he says. “It is imperative that any security programme incorporates robust awareness training and solid processes and we remain aware of some core values – process, technology, culture, structure and strategy. Companies need to understand who reports to whom in the security equation and we should embrace new technologies, given the right processes. We should adapt to and adopt our new realities by asking the right questions and fully understanding what’s at stake – for that, communication will always be fundamental. No security programme can work without a holistic vision: from detection to recovery, providing awareness at every level, that is the key to responding effectively to the threat posed by hacktivists and their attacks.” The specifics of how to protect against hacktivism will vary depending on how large the organisation is and the business it’s involved in. However, all organisations should start by looking at what they have that might be valuable to an attacker – including intellectual property, customer data and partner data – and how an attacker might seek to gain access to the organisation. As Emm explains: “From this, they need to build a strategy to defend their assets. This includes technology. But it is also an issue of policies and procedures – for example, network segmentation to make lateral movement harder if an attacker manages to breach the outer defences. It also needs to include staff education, making security the
May 2015
FEATURE responsibility of everyone in the organisation. This can only be done if the organisation puts time and effort into raising the level of awareness among employees.”
Technology to protect the network Technology should be a key part of a broad strategy to protect the network against hacktivism. “Because of the advanced threat actors these days, companies need to turn the network itself into a sensor and ensure that there is a auditable record of all transactions that can be analysed for anomaly as well as well-known attacks,” says Keanini. “The problem is that these threat actors already have credentials when they are operating on your network so no traditional security alarms go off. You need to employ technology that spots their anomalous activity and act on this behaviour early in their operations prior to their goals – exfiltration, ransomware, etc.”
“Should organisations respond differently to attacks by hacktivists than to other attacks/data breaches? Great question. I would say no” Hacktivism is not the main security attack organisations have to worry about. In September 2014, Hackmaggedon’s ‘Motivations Behind Attacks’ chart saw an unprecedented peak of cybercrime, the number one form of attack, with a 70.8% share of attacks (versus 56.3% in August).4 As usual, hacktivism ranked at number two with 18.1% (28.2% in August), while cyber-espionage operations came in third at 11.1%. Should organisations respond differently to attacks by hacktivists than to other attacks or data breaches? “Great question. I would say no,” says Keanini. “When you look at every attack continuum as it relates to hacktivism, cybercrime, nation state, in the end they look and act very differently, but early in their lifecycle they all look the same and this is where you want to be able to detect and respond appropriately. They all begin by getting some foothold in your
May 2015
Ashish Patel, Intel Security: “It’s vital that companies have deep insight of the traffic flowing through the network.”
network and they [employ] a series of operations where you will have a chance to shut them down. It is not until the later parts that they become very different and by that time it is very expensive for you to take action.” DDoS attacks are among the most common types of attacks deployed by hacktivists, according to Ashish Patel, regional director, network security UKI for Intel Security, as sending a sudden flood of traffic can be a simple and effective way to cause a disruptive company outage. This technique can also be used to distract administrators, while hacktivists slip in the back door. “Since an attacker uses standard traffic in a malicious way, there’s nothing abnormal about the traffic itself – which can make such an attack extremely difficult to detect in advance. As such, it’s vital that companies have deep insight of the traffic flowing through the network and are able to measure and analyse traffic volume as well as content,” says Patel. He adds: “Today techniques deployed by hacktivists are more sophisticated and planned out than ever before. Hackers will often research a company’s network for months at a time to identify the weak links in the network – whether that’s an employee or a technology system. Using stealth-like attacks, they are able to break through many traditional firewalls using rarely used protocol properties in unexpected combinations to disguise themselves. Using this technique, once hacktivists are in, they are often able to lie undetected on a network for weeks or months – wreaking havoc and destruction without detection.” Best practice is for companies to ensure their firewall contains specific protection against these advanced targeted attacks and that their firewall offers
connected security across the entire network. “Running disconnected security leaves the door open. An imposter may be blocked at one point on the enterprise network, but will then trawl the network using ‘trial and error’ until a suitable vulnerability that can be exploited is found,” says Patel. As ESET’s James says, if you’re on the end of an attack then for all intents and purposes hacktivism and criminal attacks are the same thing: “Just like any other threat, education in the techniques being used, a good point of contact if something goes wrong, monitoring all your data traffic and managing your staff correctly will help. Keeping your security software, day-to-day applications and operating systems up to date is a must and regular procedures to ensure all the above is working as smooth as it can be, having a clear documented response when and if something goes wrong and what procedures should be followed again will make it easier to deal with.”
About the author Tracey Caldwell is a freelance business technology writer who writes regularly on security issues. She is editor of Biometric Technology Today, also published by Elsevier.
References 1. Leyden, J. ‘It’s war: Hacktivists throw in their lot with spies and the military’. The Register, 20 Apr 2015. Accessed May 2015. www.theregister. co.uk/2015/04/20/hacktivists_and_ spies_feature_isis_anonymous/. 2. Cadwallader, C. ‘Anonymous: behind the masks of the cyber insurgents’. The Guardian, 8 Sep 2012. Accessed May 2015. www.theguardian.com/ technology/2012/sep/08/anonymousbehind-masks-cyber-insurgents. 3. Arthur, C; Sabbagh, D; Laville, S. ‘LulzSec leader Sabu was working for us, says FBI’. The Guardian, 7 Mar 2012. Accessed May 2015. www.theguardian. com/technology/2012/mar/06/lulzsecsabu-working-for-us-fbi. 4. ‘September 2014 Cyberattacks Statistics’. Hackmageddon. Accessed May 2015. http:// hackmageddon.com/2014/10/13/september-2014-cyber-attacks-statistics/.
Network Security
17
Hacktivism goes hardcore Tracey Caldwell, freelance journalist Tracey Caldwell
Hacktivism is no longer driven by well-meaning amateurs or bored teenagers, if it ever was. The nature of hacktivism is changing and cause-based activism typified by the Anonymous collective is being replaced by heavy-duty, politicised attacks by the likes of the Syrian Electronic Army and ISIS – or even attacks carried out by nation states. Hacktivism intended for social and political protest can have unintended (or intended!) impacts on organisations of all sizes caught in the cyber crossfire. “Hacktivism has lost its innocence,” writes John Leyden in The Register.1 “The party’s over. And we’ve woken up not just with a hangover, but with what’s arguably an increasingly militarised Internet on multiple fronts.”
“The threat is no longer having access to your website temporarily blocked but having your data breached, website vandalised and reputation destroyed” According to David Emm, principal security researcher at Kaspersky Lab: “Technology is woven into the fabric of our lives now, so it’s no surprise to find the real world reflected in the cyber world. This can include those who want to make money, steal data, disrupt services, deface resources or simply make a social and political point. I don’t think this will bring an end to casual web defacements, or the use of the web for social and political protest. But the same tactics are likely to be used by attackers
James Maude, Avecto: “Recently the landscape has become much darker.”
12
Network Security
of all kinds. In this sense, it’s hard to tell whether an attack can be defined as ‘hacktivism’ (ie, social and political protest), or if it’s part of a wider campaign.”
Origins of hacktivism James Maude, security engineer at endpoint security software firm Avecto, points out that hacktivism originated as a means of semi-peaceful political protest, with Anonymous playing a key role in disseminating information during the Iranian elections of 2009. This evolved into digital blockades where large groups of protesters flooded major websites with traffic, preventing legitimate access as a protest against a perceived injustice. “More recently, however, the landscape has become much darker with extremist groups mounting aggressive campaigns to spread fear and propaganda,” he says. “The threat is no longer having access to your website temporarily blocked but having your data breached, website vandalised and reputation destroyed.” The threat landscape is always evolving and hacktivism is no stranger to change. In an era where technology is pervasive and every organisation in the world depends on the use of technology to fulfil business objectives, attacking their platforms and systems creates severe disruption and can even bring businesses to a halt. Ramsés Gallego, international vice president of ISACA (the independent association for professionals involved in information security, assurance, risk management and governance) and security strategist
and evangelist with Dell Software explains: “Hacktivism is a new way of protesting, it isn’t going away – on the contrary – and it has been confirmed as one of the many threats that companies, organisations and governments have to consider as part of the threat landscape. Hacktivism is a global phenomenon and a way of not only gaining visibility, but creating harm. Some see it as a way of protesting but we have to be aware that when motivated by political reasons or based on religious motives, protests can have far-reaching and unforeseen implications.” He adds: “I think we have to realise that, in a globalised world, more threats and attacks can come from any part of the globe. For example, a group may decide that it disagrees with the green policy of a multinational and then decide to air these grievances by hacking or infecting said company’s corporate website.” Security firm iSIGHT Partners defines hacktivism as cyber threat activity that is motivated by ideology or rationale, whether religious, social, or political, and has the objective of either directly altering the actions or opinions of an audience, or of enacting justice. Joe Gallop, strategic lead, hacktivism threat intelligence at iSIGHT Partners says: “Hacktivism as threat source is often mistakenly confined
Ramsés Gallego: “Protests can have far-reaching and unforeseen implications.”
May 2015
FEATURE to Anonymous-affiliated hackers, or to grassroots groups that hold to conventional anti-security and anti-establishment ideologies. Although the Anonymous movement during 2010-12 was a watershed for both the concept of hacktivism in general, and for certain hacktivist methodologies in particular, the security industry must recognise hacktivism’s evolution in the years since the dispersal of the Anonymous collective’s figurehead faction, LulzSec/AntiSec.”
“Some see it as a way of protesting but we have to be aware that when motivated by political reasons or based on religious motives, protests can have far-reaching and unforeseen implications” He adds: “The sophisticated LulzSec/ AntiSec faction, strengthened in influence by sheer numbers in the broader Anonymous collective, demonstrated to the world how impactful hacktivist activity could be. In the two years that followed AntiSec’s disbandment, in March 2012, iSIGHT Partners continually advised that national governments would not ignore the potential of using hacktivism as a tool to achieve their own social, political, and geopolitical objectives.” He adds that in his view, hacktivism has not become more politicised – it is simply that effective hacktivist activity is being driven by a different element of the political system. “We have already observed numerous instances in which hacktivist-style, publicly disruptive attacks have been conducted by groups potentially – and in some cases almost certainly – backed by nation state directives. Attacks conducted by the al-Qassam Cyber Fighters, Anti WMD Team, Parastoo, Syrian Electronic Army and Cyber Berkut are good examples. This is a growing trend that has shown no sign of decreasing over the past two years.”
Changing spots Many observers believe the nature of hacktivism changed following the arrests of individuals involved in Anonymous,
May 2015
Joe Gallop, iSIGHT: “LulzSec/AntiSec demonstrated to the world how impactful hacktivist activity could be.”
many of them teenagers, and the turning by the FBI of Hector Xavier Monsegur, an unemployed 28-year-old Puerto Rican living in New York.2 Monsegur was revealed to be Sabu, the leader of the LulzSec hacktivists who were behind a number of cyber raids against US corporations, including News Corporation, the intelligence consultancy Stratfor, UK and US law enforcement bodies and the Irish political party Fine Gael.3
“Hacktivism has shifted from a liberal voice protesting about injustice to a radical one denouncing and attacking others. Hacktivism has become a marketing and recruitment tool to many radical groups” Maude at Avecto explains: “The public arrest and prosecution of a number of high-profile hacktivists has served as a shot across the bow to warn off wellmeaning amateurs thinking of engaging in hacktivism. As more extremist organisations turn to hacktivism, and the media talks of cyber warfare, ordinary citizens are reluctant to end up branded as terrorists. Hacktivism has shifted from a liberal voice protesting about injustice to a radical one denouncing and attacking others. Hacktivism has become a marketing and recruitment tool to many radical groups. A compromised Twitter account can be used to spread a message and make an organisation seem far more powerful and far reaching than it actually is; this is a powerful political weapon.” He points to the case of Geoffrey ‘Jake’ Commander, a 66 year-old British rock guitarist in the Electric Light
Orchestra (ELO), as a good example of why well-meaning amateurs are being deterred. “The musician allegedly joined the 1,000 Anonymous members’ DDoS protest attack against MasterCard in 2010, running the LOIC (Low Orbit Ion Cannon) tool on his computer to amplify the attack for three hours. He was arrested three years later and faced up to 10 years in federal prison for his part in the attack which cost MasterCard $1m. These kind of prosecutions have raised the public’s awareness of the legal implications of hacktivism and resulted in a shift to only those already operating outside the law becoming involved.” Mark James, ESET security specialist, says: “I think the arrests of the Anonymous members made some people sit up and listen to the authorities stating that they will catch and find them. It’s easy to believe that you are uncatchable when working as a collective doing something you believe is right; but once your real friends or members start getting caught then it’s a completely different matter.
Real-world wars go online In recent months, hacktivism has shape shifted and taken real-world wars online. “The game changer, especially with regards to things like the Syrian Electronic Army(SEA) and ISIS is they have found that there is a large amount of publicity that can be gained from these types of attacks,” says James Pledger, director of research at RiskIQ. With ‘how-tos’ on hacking accessible all over the Internet in the form of videos and articles, the fact that ISIS has learned how to hack high-profile websites to make its voice heard is not surprising, according to Yuval Ben-Itzhak, CTO at AVG Technologies. He believes this form of cyber terrorism – driven by politically motivated conflict – is neither new nor unique. “For years we’ve witnessed a close correlation between tensions in the Middle East and the number of cyber-attacks detected in conflict zones,” he says. “Political conflicts between Turkey, Syria, Lebanon, Israel, Egypt and Palestine have also regularly triggered waves of
Network Security
13
FEATURE
Yuval Ben-Itzhak, AVG Technologies: “Political conflicts have regularly triggered waves of cyberattacks.”
cyber-attacks, such as website defacements and denial of service attacks. To name a couple, back in 2011 the Harvard website was hacked by Syrian protesters and, the year before, Turks hacked Israeli Facebook accounts over the Gaza blockade incident.” The focus on cyber terrorism today is less about the threat landscape changing, but more about our increased attention to it, Ben-Itzhak believes. “ISIS’ high profile status means we are acutely aware of their online actions through the media, particularly when targets include household names like TV5Monde,” he says. “In times of conflict, these kinds of cyber-attacks will continue and we can only expect to see more online activity from groups like ISIS in the near future. Consumers and businesses must make sure they protect themselves in cyberspace once terror or political conflicts arise.”
Anonymous – a spent force? In recent months Anonymous has mounted operations against ISIS and Russian leader Vladimir Putin, but many commentators believe these do not seem to have had as much of an impact or gained as high a profile as in the past. “Anonymous is certainly a spent force at this point, and there is only slim opportunity for its revival,” says Gallop. “The level of broad-based public participation inspired by unsophisticated Anonymous-affiliated groups has consistently decreased as other actors begin to recognise these groups’ lack of notable success toward objectives. Although some emerging groups may initially inspire participatory activity through the use of well-crafted propaganda, inciting the involvement of large numbers of rank-and-file actors will almost certainly require a reputation built on consistently proven, successful attacks against highprofile entities over an extended period of time. This has not been seen since the disbandment of AntiSec.” In Maude’s view, when Anonymous targeted big corporations, it had clear targets and objectives, such as a website or office. “As their focus has turned to ISIS and Putin, these targets aren’t as clearly defined,” he says. “Their adver-
saries operate in a decentralised and distributed manner, so even if you can take down one social media account, hundreds more will continue to spread the message. So even though they are certainly not a spent force, the impact of their recent operations is not as obvious or clear cut as in the past.” He adds: “Recent prosecutions will have made them more cautious and forced a more covert approach to their operations. In reality modern hacktivists do not require large numbers of members – just a select few skilled ones. The lack of appetite among the general public for hacktivism will not have diminished their potential as techniques have moved on from large-scale DDoS attacks.” Michael Paling, cyber-security recruitment lead, Cornucopia ITR, says: “The relatively high-profile arrest of Sabu was the beginning of the end for Anonymous as we knew them. The organisation began with a strong, centralised leadership – but this eventually gave way to an ‘allows all comers’ mentality. Following the Wikileaks incident, it is no wonder that the leadership has quietly crumbled – it’s immensely difficult to simultaneously irritate every government in the world and continue with no consequences. Snowden and Assange, for example, are living lives of exile. They have only avoided jail by the immensely public nature of their efforts – Anonymous did not have that luxury and have faced different issues because of this.” He points out that Anonymous has an almost unique structure – it encourages all-comers to pursue social justice under the ‘Anonymous’ handle, this making it very difficult to destroy. “Anonymous is a movement, as opposed to a group. The movement defines itself with intangibility – similar to the French Resistance in WW2, or the Masons. So long as there are individuals willing to work under the ‘Anonymous’ handle, the group will remain an active force – albeit with differing levels of effectiveness,” he says.
Nation states Website defacement is one of the most common activities of hacktivists.
14
Network Security
As hacktivism evolves, there is increasing evidence that nation states and more well-resourced and organised forces are
May 2015
FEATURE using the techniques of hacktivism. RiskIQ’s Pledger says: “I believe that we have been seeing a large amount of hacktivism that has either direct or indirect support of nation states. In 2007 we witnessed a large amount of hacktivism targeted at Estonia. As people become more dependent on technology, the absence of these services can cripple business, government functions and simple things. The attacks in Estonia could be viewed as a dry run of some of the cyber-attacks that then happened prior to physical attacks that occurred in Georgia in 2008 and some of the actions that are happening in Ukraine more recently. While there isn’t any definitive attribution, it has very interesting timings and to most casual observers these events are somehow related.”
What we are seeing is countries that are preparing to combat cyber threat as they traditionally have prepared for full-scale military campaigns” Syria pioneered the public adoption of hacktivism for government interests, according to Gallop: “While there is some confusion as to whether the hacktivist group Syrian Electronic Army existed and was active before being sponsored by the state, there is no question that some level of support has been given by the state, and the SEA has openly admitted to cooperating with officials in the Assad regime.” In Gallop’s view this openness is one of the main differentiators between hacktivism serving Syrian government interests and hacktivism serving Russian government interests in the Ukraine conflict: “The primary pro-Russian hacktivist group, CyberBerkut, is likely supported by Russian authorities, but labels itself as a Ukrainian resistance group. This difference in openness illuminates the trigger points for each of these nations to sponsor hacktivist activity. Simplistically put, the Syrian regime is driven by the recognition that it is in an existential dilemma, and therefore the regime has no aversion to seeking
May 2015
the most direct route toward survival. On the other hand, the Russian authorities are driven by a much more nuanced desire for resource dominance and hegemony, resulting in efforts to subvert foreign governments and influence public opinion in surrounding nations, while maintaining plausible deniability. Similarly, we can identify tipping points for other rogue nations – Iran: inhibition of its elements of national power; North Korea: affronts to national honour – which can help us to anticipate potential future actions.” TK Keanini, CTO at Lancope, highlights the fact that, in general, nation state threat actors and hacktivists are very different in the way they operate. “The nation state actors never want to be discovered, and their activities never disclosed, whereas hacktivists are all about making headlines and being the loudest threat actor in the world,” he says. “These are not compatible and the only time a nation state threat actor wants to be known is when it helps them divert from some other activity.” Hacktivism is often suspected to be used by nation states as a cover for espionage, providing a ‘fall guy’ in the event an operation is detected, according to Maude. “It is well known that many nation states dedicate military units to cyber warfare, recruiting and training highly skilled individuals,” he says. “From the CIA to ISIS, most people recognise that the digital battlefield can be just as important if not more so than the physical one. Hacktivism provides a platform to discredit opponents, show prowess and spread political messages.” Of course it may be convenient for nation states to blame hacktivism for their actions. Attribution of an attack is often impossible. Anyone could hack a website, publish stolen data or hack an organisation’s social network account and claim it was done by ‘Anonymous’ or any other group. As Kaspersky’s Emm points out: ”This is one of the things that makes cyber-attacks viable for a wide number of groups. They are cheaper and easier than a real-world attack and it’s much easier to remain hidden.” The reality is that nation states have the benefit of being able to throw
TK Keanini, Lancope: “The nation state actors never want to be discovered.”
resources at cyber-attack in a way that amateur hacktivists do not, enabling them to mount attacks on a different scale. Amateurs rely on methods such as exploiting flaws in coding, circumventing encryption, or phishing emails, because the financial and hardware implications of a brute force attack are beyond their capabilities. Paling at Cornucopia ITR says: “If a state puts its resources into a hack, it becomes immensely more difficult to defend against.” However he points out that poor security can even enable amateurs to carry out large-scale attacks: “The scale of the hacks on Sony was largely due to their cyber-security structure – their head of department was promoted up from marketing, and the skills of their professionals were either undervalued or ignored. The method of this attack originally landed the blame on North Korea – specifically because of the scale, and effectiveness of the attack. This was a straight breach, and not an avoidance of security protocols.” Governments are taking the threat seriously. “What we are seeing is countries that are preparing to combat cyber threats as they traditionally have prepared for full-scale military campaigns – just look at the United Kingdom and United States’ joint cyber-security initiative earlier in the year, and the British Army’s latest creation of a full-fledged cyber warfare dedicated regiment in West Berkshire,” says ISACA’s Gallego. He adds: “We are also increasingly experiencing nation states effectively running virtual ‘black ops’ missions too, but just who and where it’s more difficult to say. The fact of the matter is, we are living in times where a company can attack a company, a nation can attack a nation and any other combination goes too. It’s
Network Security
15
FEATURE this complex combination of actors that makes the space so truly disruptive.”
Tools and techniques Hacktivist tools and techniques are becoming more sophisticated too. “Increasingly, we are seeing blended threats that actually combine different approaches, meaning a well-prepared attack now combines several angles, such as email or a USB drive, and then escalates privileges together with a phone call that triggers some social attack,” says Gallego. “The majority of these attacks are now well-planned and that should send the message to us as a society that with the rapidity and complexity of these new threats, awareness is of utmost importance.” Maude has seen techniques evolve from causing minor inconvenience by disrupting traffic to a website, to inflicting serious reputational damage by vandalising the website and leaking data. As hacktivism is no longer part of a peaceful protest but a weapon in a digital war, the tools and techniques used are much more aggressive and designed to inflict damage. “Often these attacks are not sophisticated,” says Maude. “Take the TV5Monde example, where ISIS supporters defaced the website and social media feeds of the French TV channel. The attack was initially thought to be very sophisticated but it later transpired that simple shared passwords were to blame after the network broadcast footage with the passwords written on Postit notes in the background.” This is a common theme as hacktivists turn to social engineering and phishing attacks to harvest credentials and gain access to an organisation. Once inside, they try to gain access to as many systems as possible to maximise the damage inflicted. Keanini points out: “Most of the threat actors out there today no longer have to be sophisticated in exploitation and evasion, because there are tools and services for sale in the dark markets that they can resource. This has changed the game significantly for all threat categories including hacktivism. This is the biggest evolutionary step in the past five years.” Paul McEvatt, lead security specialist and cyber consultant UKI at Fujitsu 16
Network Security
adds: “It’s very easy now to rent DDoSas-a-service with such platforms available on the standard and dark web for relatively low prices. Figures from DDoS Provider reports suggest that this hasn’t slowed down and there have also been reports of insecure home routers being compromised to form botnets.”
Preparing defences It is a challenge for organisations to defend themselves against hacktivism and respond to the ever-evolving threat. Defending an organisation from the threat of hacktivism is a complex problem and requires protection from threats from both external sources as well from within the organisation. In addition, established approaches to information security theory and practice do not always work, in the view of Luke Forsyth, a vice president in the Information Management Services practice at AlixPartners, LLP.
“It’s very easy now to rent DDoS-as-a-service with such platforms available on the standard and dark web for relatively low prices” “Traditional defences are focused on preventing external threats motivated against the organisation, most of which are usually economic or government sponsored and therefore reasonably able to be modelled, if not predicted,” he says. “But with hacktivism, assets that would not otherwise be targeted may be the subject of attack. Similarly, internal information security threats are usually the result of mistakes and, even where deliberate, have been motivated by economic or other situations that can be modelled if not predicted. However, the motivations of hacktivism are largely political or religious and therefore volatile and both legally and technically difficult to predict.” Some organisations rely on background checking, but as Forsyth points out, in the famous examples of insider hacktivism, Manning and Snowdon, the individual concerned had been the subject of
extensive background checking. “Changes in the health, wealth or life-balance of a relative, friend or even acquaintance can significantly change our own outlook, and this is in addition to changes in our own lives. All of these changes can, as we have seen with Snowdon and Manning, be very hard to predict. There are controls and continuous background checking methods, but these can be invasive, expensive and can also impact agility in achieving organisational objectives.” Gallego at ISACA recommends that organisations should defend themselves on a number of different levels. “Certainly technology will help, but we should not forget that, at the end of the day, it is people that are operating these technologies,” he says. “It is imperative that any security programme incorporates robust awareness training and solid processes and we remain aware of some core values – process, technology, culture, structure and strategy. Companies need to understand who reports to whom in the security equation and we should embrace new technologies, given the right processes. We should adapt to and adopt our new realities by asking the right questions and fully understanding what’s at stake – for that, communication will always be fundamental. No security programme can work without a holistic vision: from detection to recovery, providing awareness at every level, that is the key to responding effectively to the threat posed by hacktivists and their attacks.” The specifics of how to protect against hacktivism will vary depending on how large the organisation is and the business it’s involved in. However, all organisations should start by looking at what they have that might be valuable to an attacker – including intellectual property, customer data and partner data – and how an attacker might seek to gain access to the organisation. As Emm explains: “From this, they need to build a strategy to defend their assets. This includes technology. But it is also an issue of policies and procedures – for example, network segmentation to make lateral movement harder if an attacker manages to breach the outer defences. It also needs to include staff education, making security the
May 2015
FEATURE responsibility of everyone in the organisation. This can only be done if the organisation puts time and effort into raising the level of awareness among employees.”
Technology to protect the network Technology should be a key part of a broad strategy to protect the network against hacktivism. “Because of the advanced threat actors these days, companies need to turn the network itself into a sensor and ensure that there is a auditable record of all transactions that can be analysed for anomaly as well as well-known attacks,” says Keanini. “The problem is that these threat actors already have credentials when they are operating on your network so no traditional security alarms go off. You need to employ technology that spots their anomalous activity and act on this behaviour early in their operations prior to their goals – exfiltration, ransomware, etc.”
“Should organisations respond differently to attacks by hacktivists than to other attacks/data breaches? Great question. I would say no” Hacktivism is not the main security attack organisations have to worry about. In September 2014, Hackmaggedon’s ‘Motivations Behind Attacks’ chart saw an unprecedented peak of cybercrime, the number one form of attack, with a 70.8% share of attacks (versus 56.3% in August).4 As usual, hacktivism ranked at number two with 18.1% (28.2% in August), while cyber-espionage operations came in third at 11.1%. Should organisations respond differently to attacks by hacktivists than to other attacks or data breaches? “Great question. I would say no,” says Keanini. “When you look at every attack continuum as it relates to hacktivism, cybercrime, nation state, in the end they look and act very differently, but early in their lifecycle they all look the same and this is where you want to be able to detect and respond appropriately. They all begin by getting some foothold in your
May 2015
Ashish Patel, Intel Security: “It’s vital that companies have deep insight of the traffic flowing through the network.”
network and they [employ] a series of operations where you will have a chance to shut them down. It is not until the later parts that they become very different and by that time it is very expensive for you to take action.” DDoS attacks are among the most common types of attacks deployed by hacktivists, according to Ashish Patel, regional director, network security UKI for Intel Security, as sending a sudden flood of traffic can be a simple and effective way to cause a disruptive company outage. This technique can also be used to distract administrators, while hacktivists slip in the back door. “Since an attacker uses standard traffic in a malicious way, there’s nothing abnormal about the traffic itself – which can make such an attack extremely difficult to detect in advance. As such, it’s vital that companies have deep insight of the traffic flowing through the network and are able to measure and analyse traffic volume as well as content,” says Patel. He adds: “Today techniques deployed by hacktivists are more sophisticated and planned out than ever before. Hackers will often research a company’s network for months at a time to identify the weak links in the network – whether that’s an employee or a technology system. Using stealth-like attacks, they are able to break through many traditional firewalls using rarely used protocol properties in unexpected combinations to disguise themselves. Using this technique, once hacktivists are in, they are often able to lie undetected on a network for weeks or months – wreaking havoc and destruction without detection.” Best practice is for companies to ensure their firewall contains specific protection against these advanced targeted attacks and that their firewall offers
connected security across the entire network. “Running disconnected security leaves the door open. An imposter may be blocked at one point on the enterprise network, but will then trawl the network using ‘trial and error’ until a suitable vulnerability that can be exploited is found,” says Patel. As ESET’s James says, if you’re on the end of an attack then for all intents and purposes hacktivism and criminal attacks are the same thing: “Just like any other threat, education in the techniques being used, a good point of contact if something goes wrong, monitoring all your data traffic and managing your staff correctly will help. Keeping your security software, day-to-day applications and operating systems up to date is a must and regular procedures to ensure all the above is working as smooth as it can be, having a clear documented response when and if something goes wrong and what procedures should be followed again will make it easier to deal with.”
About the author Tracey Caldwell is a freelance business technology writer who writes regularly on security issues. She is editor of Biometric Technology Today, also published by Elsevier.
References 1. Leyden, J. ‘It’s war: Hacktivists throw in their lot with spies and the military’. The Register, 20 Apr 2015. Accessed May 2015. www.theregister. co.uk/2015/04/20/hacktivists_and_ spies_feature_isis_anonymous/. 2. Cadwallader, C. ‘Anonymous: behind the masks of the cyber insurgents’. The Guardian, 8 Sep 2012. Accessed May 2015. www.theguardian.com/ technology/2012/sep/08/anonymousbehind-masks-cyber-insurgents. 3. Arthur, C; Sabbagh, D; Laville, S. ‘LulzSec leader Sabu was working for us, says FBI’. The Guardian, 7 Mar 2012. Accessed May 2015. www.theguardian. com/technology/2012/mar/06/lulzsecsabu-working-for-us-fbi. 4. ‘September 2014 Cyberattacks Statistics’. Hackmageddon. Accessed May 2015. http:// hackmageddon.com/2014/10/13/september-2014-cyber-attacks-statistics/.
Network Security
17