Activism through hacking, or hacktivism, is defined by carrying out cyberattacks with ideological or cultural purposes.

Historically, some of these actions could be compared to real-world protests, "congesting" the network with Distributed Denial of Service (DDoS) attacks in the same way that protests take over city streets and avenues. However, this activity can no longer be viewed this way.

Although hacktivist DDoS attacks continue to be recurrent, many hacktivist actions now involve system breaches and even intelligence gathering. The consequence is that these hackers frequently expose data with military or political value.

The political tension in the Middle East, which has lasted for decades, has created ideal conditions for a large breeding ground of hacktivist groups. These groups operate ideologically, often reacting to real-world events.

In this context, an emerging complication is the sophistication of these hacktivist groups and the expansion of targets considered valid by these groups. The first point of concern is that hacktivists may choose a target solely because of the presence of executives linked to a country or ethnicity, even if the company has no headquarters or office in the region of interest.

An even bigger issue than this, however, is the imposition of the need for financial resources to sustain hacktivist operations, which has been profoundly changing the characteristics of these groups.

Funding Beyond Hacktivism

When hacktivist actions are carried out by just a few individuals, they typically need access to IT infrastructure and other resources that, generally speaking, must be purchased with money.

To finance the infrastructure necessary to reach their ideological targets, certain hacktivists have accepted acting as "mercenaries," renting out their attack capabilities to third parties interested in obtaining quick results.

In the case of more sophisticated groups, hacktivists even breach companies and resell that initial access to other criminal groups that make no ideological distinction in their attacks. The sale of this access also helps finance hacktivism, including the purchase of codes to exploit vulnerabilities.

While it's necessary to recognize and point out the existence of these more sophisticated actors, it's still true that many hacktivist groups dedicate themselves primarily to carrying out Distributed Denial of Service (DDoS) attacks. In the case of these groups, renting DDoS infrastructure and forming alliances with other hacker collectives are the main methods for expanding the scope of their activities.

A group or individual known as Mr.Hamza exemplifies this type of activity.

It's also possible that hacktivist groups receive financial incentives from other groups or organized entities, but this type of support is harder to trace.

In any case, there are examples of groups with significant resources. For example, the group known as Blackfield has already offered $500,000 to acquire code to exploit a vulnerability (exploit), which demonstrates the financial robustness of hacktivists.

Blackfield Group selling information about individuals and bank accounts to other hackers on a forum frequented by ransomware operators.

Summary of Hacktivist Group Funding

• Crowdfunding: Groups attract ideological sympathizers and ally themselves with other organized entities
• Extortion: Hacktivist groups may demand that companies and individuals pay to cease specific attacks
• Hacking services: (such as DDoS and breaches)
• Sale of data and tools: During their actions, hacktivist groups gain access to data and systems that can be sold to other criminal groups, helping to finance future actions.

Involvement with Ransomware

The expansion of hacktivist groups' activities and alliances has also brought them closer to ransomware operators.

This was especially observed in the Cyber Fattah group, which released tools linked to a ransomware operation.

Messages from the Cyber Fattah group demonstrating alliance with the BQTlock/BaqiyatLock ransomware operation

The use of ransomware as a hacktivist operation is a very clear example of how these groups' activities have gained a financial focus to sustain the advancement of ideologically-driven cyberattacks, both in volume and sophistication.

Hacktivist Groups

The cyber world easily creates asymmetries. This means that the impact of actions is not always proportional to the number of agents involved or the power of the entities represented by these actions.

In this sense, it's important to understand that there isn't a necessarily "balanced" force between the two sides of the confrontation. Despite this, it's also not possible to definitively state that one side will necessarily be more effective than the other.

In the case of confrontations in the Middle East involving Israel, ideological motivation is not always the same. For example, it may be easier to find groups opposed to Iran (we identified 15) than favorable to Israel (we identified 10).

This ideological divergence may or may not be relevant, depending on the context of each moment.

In the case of Palestine and Iran, there is great ideological convergence. In part, this can be explained by religious solidarity. Many countries in the region have Muslim majorities, increasing the likelihood that residents of these countries feel some affinity with Iran and the Palestinians, even if they are not directly involved in the conflict.

Therefore, there are more than 100 groups that can be considered pro-Iran, geographically spread across Muslim-majority countries in North Africa and Asia.

Due to the convergence of interests, certain analyses indicate that some of these groups may be linked to national military and intelligence structures, either through funding or coordination of activities. However, a country rarely acknowledges the actions it carries out in the digital world.

In any case, due to the significant number of actors, techniques vary considerably from one to another. There are groups like Pink Sandstorm, which specializes in installing wiper-type malware that destroys breached systems. Similarly, there are hacktivists specialized in long-term espionage or opportunistic exploitation of vulnerabilities.

Recommendations

Although the companies most targeted by hacktivist groups are those that have some link to the countries involved in the confrontations that motivate this type of action, the expansion of these groups' scope, motivated by the need to finance their actions, has led some hacktivist groups to have more diverse operations.

Therefore, all companies should have Cyber Threat Intelligence to stay aware of the techniques employed by hacktivists, treating them the same way as other adversaries.

Axur primarily recommends the following mitigation measures:

• Monitoring leaked credentials to invalidate passwords and other access codes that may have fallen into the hands of attackers
• Brand and mention monitoring to identify when hacktivist groups show interest in attacking specific companies, including those that are relevant to the supply chain of certain sectors
• Access to intelligence data about the groups and their actions
• Use of research tools and Threat Hunting with access to hacktivist group information to investigate incidents and determine when they may be linked to hacktivist groups

The Axur Platform offers a complete solution with all these features. Talk to one of our experts and discover how Axur can increase your visibility into these and other cyber threats.