RSAC: Threat Actors Weaponize Hacktivism for Financial Gain
Hacktivism has become increasingly blurred with financial cybercrime and nation-state activities, with threat actors deliberately aligning with causes to facilitate their various motivations, according to Alexander Leslie, threat intelligence analyst at Recorded Future.
Speaking during the RSA Conference 2024, Leslie highlighted how purported hacktivists are increasingly attaching themselves to geopolitical events around the world, such as the Israel-Hamas war, and using those causes to launch attacks for financial gain or in support of nation states.
In this way, hacktivism has moved from being reactionary to opportunistic.
“Hacktivists have very little capacity to affect the situation on the ground, and in order to make as much money as possible and garner as much reputation as possible, they claim to be involved in the hostilities,” said Leslie, speaking to Infosecurity after the session.
Hacktivism’s Shift Since Ukraine Conflict
Traditionally, hacktivism relates to politically motivated cyber threat activity, designed to attract the public to a cause. However, this changed radically in 2022 following the Russian invasion of Ukraine, according to Leslie.
The Recorded Future platform identified approximately 75,000 references to unique hacktivist attacks in the first year of the war. These targeted entities in Ukraine, Belarus, Russia and across NATO member states.
Leslie said that groups quickly recognized the opportunities of utilizing social media and other public facing platforms, including often dark web forums, to operate under the guise of hacktivism in relation to the conflict.
Leslie said: “Threat actors understood there was a lot of publicity to be made for themselves if they participated in hostilities, given the entire world was focused on cyberspace in regard to Russia and Ukraine.”
Many of these groups are amplified by the hacktivist collective Anonymous, which has evolved into a very different entity in 2024 compared to when it rose into prominence from targeting governments and other political entities over specific issues.
It now essentially acts as an amplification channel for “affiliates,” which are generally financially-motivated cybercrime groups, said Leslie.
Similarly, the Israel-Hamas conflict that began in October 2023, has been targeted by a large number of purported hacktivist groups, most of which are well established and financially motivated.
In one example highlighted in the presentation, a threat actor claiming to be pro-Israel and anti-Hamas, breached the Palestinian National Institute of Public Health, a UN-funded institution in the West Bank. It sold its access to a database stolen from the body, which contained the health records of 200,000 Palestinian civilians. This database was subsequently dumped on the dark web for forum credits by another hacktivist group.
“This is a perfect example of how hacktivist groups, even if self-proclaimed, will target entities that are clearly intended to provide support for civilians and are legitimate,” noted Leslie.
Providing Plausible Deniability for Nation-States
Leslie added that nation states also leverage groups masquerading as hacktivists for operations like espionage and attacking critical infrastructure.
This is designed to give governments “plausible deniability” for such incidents, thereby absolving themselves of accountability and limiting the response from the victim nation.
“A nation state being able to deny itself accountability for an attack means we have an attribution problem and not everyone can action on evidence,” explained Leslie.
One example of this is the group known as ‘Free Civilian’, which 90 minutes before Russian began its invasion of Ukraine in February 2022, listed a series of Ukrainian targets’ databases and initial access for sale on the dark web. It has since been attributed to the group responsible for the Whispergate wiper malware that impacted government, IT and non-profit organizations across Ukraine a month earlier, in January 2022.
Leslie also cited the attack by the pro-Palestinian group’s “Cyber Av3ngers,’ which claimed an attack on Israeli manufacturer Unitronics at the end of 2023. This impacted US water and wastewater services that used Unitronics’ programmable logic controllers (PLCs).
This group has since been attributed to Iranian intelligence services by multiple sources, including Mandiant.
“Iranian intelligence services leveraged hacktivist personas for plausible deniability,” said Leslie.
Be Cautious About False Claims
Leslie urged organizations to exercise caution in relation to hacktivist claims of attacks on social media, and to avoid making strategic decisions on the back of them. He noted that the “overwhelming majority” of such claims are false, misleading or exaggerated, aiming to generate a reaction in target organizations, such as launching incident response processes.
Their aim in making these claims is often to gain notoriety or to feed their ego, such as the Killnet group that makes a lot of false claims about attacks. “Volume does not equate to impact,” emphasized Leslie.
Leslie told Infosecurity that many of these financially-motivated groups understand that most cybersecurity journalists and threat researchers are watching their activities on public platforms, such as social media and dark web forums.
“A lot of these financially-motivated groups understand that there is a significant public facing aspect to all of this,” he noted.