Learn

June 21, 2024

3 Minute Read

What Is Hacktivism?

By Muhammad Raza

Not every cybercrime is about, well, the crime. In fact, some attacks are designed to draw attention to a cause, not stolen data or paydays.

Social activism has been around forever. Today, it can manifest in the physical world, of course, and increasingly we see social activism in the digital world, too, ranging from minor activist activities all the way to high-profile cybercrime incidents.

The highest-profile of these activities — actual cybercrime — mark the desire to disrupt the status quo as a means to effect and control digital spaces, and in turn, instigate desirable outcomes in the physical world. These actions can involve unauthorized access, control or service disruption of digital resources that belong to a notable entity, all by means of hacking.

What is hacktivism?

A portmanteau of the words hack and activitism, the term ‘hacktivism’ refers to hacking activities performed in the digital world (cyber space) in order to achieve social or political objectives. The targets of hacktivism typically include:

Government authorities
Technology companies
Financial groups
Interest groups or entities
Individuals

Hacktivism may be triggered by a standalone event, incident or a policy enforcement that potentially breaches the rights, sentiments or opinions of a mass audience.

Hacktivists take the initiative on the behalf of a perceived aggrieved audience, carrying out hacking activities “on their behalf”. Hacktivism requires access to computing resources — such as botnets for DDoS attacks and virus packages for zero-day exploits — and advanced hacking skills.

(Related reading: ethical hacking.)

Hacktivism differs from traditional activism

Many true activists are quick to point out the notable differences between activism and hacktivism:

Geography, scale, group size

Traditional activism is concentrated geographically, as most breaches of a group of people rarely scale beyond their geopolitical situation. The scale is highly dependent on the number of participants. In fact, many activists consider a movement sufficiently vocal only when enough people gather to capture the attention of traditional news outlets. Two important attributes of traditional activism are the number and voice:

How many people can gather to protest.
How vocal they can be.

Though activism includes many actions beyond protesting, peaceful protesting can be a meaningful part of social movements. Indeed, a small number of protests achieve impact through some form of resistance or vandalism.

Digital activism, and especially hacktivism, relies heavily on the skill and ability of a hacker to produce an impactful cyberattack that can communicate the desired message across to the wider awareness as well as the status quo and concerned authorities.

Hacktivism may not be a bottom-up approach. In fact, a successful hacktivist attack may instigate both:

Mass protests in the digital world across social media channels.
Public demonstrations in the physical world.

The nature of such protests in the digital world may be global and diversified, and arguably, more vocal than a concentrated traditional protest that occurs locally in the physical world.

Action and response

Another key differentiation is that hacktivism embodies immediate action. In 2011, the popular hacking group Anonymous launched Operation Tunisia against the government’s censorship and laws against free speech.

In 2010, decentralized coordinated DDoS attacks were launched by similar groups to protest actions against Wikileaks. This was part of the Operation Payback hacktivism campaign against major financial and digital companies that blocked services to Wikileaks.

Goals of digital activism

Yes, those hacktivists may have been unable to achieve their desired outcomes of revolutionary overhaul of the political sphere and the economic status quo. Still, digital activism frequently achieves the following objectives:

Amplified emotional outcomes from a large audience that shares a desire for the commanded objectives.
Mass participation from an average social media user with minimal effort, as compared to physical protests.
Directed (cyber) attacks that more frequently overcome the defense mechanism adopted by notable entities such as government organizations, financial institutions and tech companies.
Leak of sensitive information and evidence that may not be public knowledge but can serve as a driver for public sentiment toward a particular political movement.
Countermeasures on behalf of victims in the form of improved cybersecurity defense measures and policies.

How hacktivists engage in digital activism

The most common mechanisms center around information leaks, data breaches, or service disruption. Hackers might:

Compromise a vulnerability in the private networks of a victim to gain privileged access and compromise sensitive business information.
Use compromised credentials to publish a desired message on their website, locking out other users from making a change.
Access sensitive information and resources and leak them on public forums.

Another common approach is to execute a DDoS attack on the target servers. A DDoS attack overwhelms the target server with global traffic from thousands of bots, which renders the service unavailable for legitimate users during the attack.

Hacktivists may employ services from cybercrime underground rings where botnet services are available for hire and sold for a service – something like hacking as a Service model.

(Related reading: ransomware attack trends & ransomware types.)

An Expert's Perspective

To better understand hacktivism, we spoke with Raluca Saceanu. Raluca is the CEO of Smarttech247, an enterprise cyber security organization and Splunk partner. She holds a Master of Science in Strategic Management from the University of Innsbruck and received the Women in Technology Advocate Award by Deloitte in 2021.

In this section, we've included Raluca's responses to our prompts.

The Rise of Hacktivism

In recent years, hacktivism has surged to prominence, blending the worlds of hacking and activism to advance political and social causes through technology. This convergence has had significant implications for the cybersecurity industry, which now faces the dual challenge of protecting clients from cyberattacks while understanding the motivations behind these digital protests. Anonymous, the most famous hacktivist group, emerged from the online message board 4chan in the early 2000s. Known for its decentralised structure and the iconic Guy Fawkes mask, Anonymous champions internet freedom, transparency, and anti-censorship. Despite its impactful campaigns, Anonymous's lack of clear leadership makes its actions unpredictable, which is the case for many hacktivist groups. This unpredictability underscores the importance for the cybersecurity industry to understand such groups in order to develop effective defence strategies against hacktivist threats.

The Convergence of Hacktivism and Cyber Warfare

As hacktivist activities become more sophisticated, they often blur the lines with cyber warfare, where state-sponsored groups or politically motivated hackers target nations' critical infrastructure. This intersection of hacktivism and cyber warfare underscores the growing threat of politically driven cyber attacks that aim to destabilise governments, disrupt economies, and sow societal discord. By exposing sensitive information or disrupting critical systems, they aim to weaken the target's position and create a favourable environment for their own strategic interests. Such attacks are particularly potent in the context of international conflicts and political rivalries, where cyber warfare can be a tool for asymmetrical engagement.

Since the onset of the Russia-Ukraine conflict in 2022, both state-sponsored hackers and independent hacktivist groups have launched numerous cyber attacks. Such attacks aim to undermine the enemy's infrastructure, sow chaos, and erode public morale. By targeting essential services like the power grid, hackers can create significant disruption and psychological impact, highlighting the strategic value of cyber warfare in modern conflicts.

Common types of hacktivist attack methods and motivations:

Distributed Denial of Service (DDoS) Attacks

In the context of hacktivism, a DDoS attack involves flooding a target's server with an overwhelming amount of traffic to render it inaccessible. This tactic is used to disrupt the normal operations of a website or online service, effectively silencing or punishing the target. Hacktivists opt for DDoS attacks because they are relatively easy to execute and can cause significant disruption without requiring deep technical expertise. The attacks draw attention to the hacktivists' cause by making a public and noticeable impact. By temporarily shutting down websites of government agencies, corporations, or other organisations, hacktivists can protest against perceived injustices and attract media coverage. In 2023, hacktivist groups claimed responsibility for over 1,800 DDoS attacks within a two-month period, as tracked by the Radware Threat Intelligence team. These attacks targeted a variety of countries, with the most frequent targets being Israel, India, and Australia. This surge in activity underscores the significant role hacktivism continues to play in the global cyber threat landscape.

One of the most famous instances of DDoS Operation Payback, orchestrated by the hacktivist group Anonymous in 2010, involved a series of DDoS attacks targeting organisations perceived to oppose internet freedom. Notable targets included the Recording Industry Association of America (RIAA) and the Motion Picture Association of America (MPAA). Anonymous initiated Operation Payback in response to these organisations' efforts to shut down file-sharing websites. By overwhelming the targets' servers with traffic, Anonymous aimed to disrupt their operations and draw public attention to what they viewed as a corporate overreach against digital rights. The underlying message was clear: attempts to control and censor the internet would be met with swift and disruptive resistance.

A recent example of a DDoS attack employed by hacktivists is the campaign by the pro-Russian group KillNet targeting the U.S. healthcare sector. In January 2023, KillNet launched a series of DDoS attacks against healthcare organisations, significantly disrupting their services. These attacks involved overwhelming the target servers with traffic to render them inaccessible, affecting hospitals, healthcare providers, and related entities. The aim was to retaliate against Western support for Ukraine amid the ongoing conflict.
Data Breaches and Leaks

Data breaches and leaks involve unauthorised access to confidential or sensitive information, which is then released to the public. Hacktivists use this tactic to expose unethical practices, corruption, or illegal activities within organisations or governments. Hacktivists opt for data breaches and leaks because these actions can have profound consequences. A good example is the Ashley Madison breach, for example, aimed to expose what the hackers deemed unethical behaviour and to highlight the lack of security protecting user privacy. By releasing such sensitive information, hacktivists sought to hold both the company and its users accountable, promoting a debate on the morality of the services offered and the importance of digital privacy.

A recent example of a hacktivist attack that led to significant data loss and exposure involves the hacktivist group SiegedSec. In 2023, SiegedSec claimed responsibility for breaching NATO's Communities of Interest Cooperation Portal. This breach resulted in the leak of 8,000 personnel records containing details such as names, companies, job titles, business email addresses, home addresses, and photos, alongside various unclassified documents. The group stated that their actions were in retaliation for NATO's perceived attacks on human rights.
Ransomware

In recent years, hacktivists have increasingly turned to ransomware as a tool to further their political and social agendas. Traditionally known for DDoS attacks, website defacements, and data leaks, groups like the Ikaruz Red Team and the Ukrainian Cyber Alliance have now adopted ransomware tactics. These groups use ransomware not primarily for financial gain but to disrupt operations, draw attention to their causes, and retaliate against their adversaries.

Throughout 2023, IRT launched several ransomware attacks using modified versions of LockBit 3.0 against various entities in the Philippines. These attacks were not primarily financially motivated but aimed at sowing disruption and drawing attention to their political causes. The group publicly announced its attacks on social media, emphasising their intention to disrupt rather than profit. Another notable instance is the Ukrainian Cyber Alliance's attack on the Trigona ransomware group in October 2023. This hacktivist group managed to exfiltrate and wipe out the servers of Trigona, effectively disabling their operations. The hacktivists claimed this action was part of their ongoing efforts to disrupt Russian criminal enterprises.

The Increasing Rate and Future of Hacktivism

The effects of hacktivism driven by various motives—political, social, or geopolitical—extend far beyond the immediate targets, influencing the wider threat landscape significantly.

When Anonymous launched a series of DDoS attacks against entities like the RIAA and MPAA, the ripple effects of this digital assault were felt far and wide. Organisations worldwide scrambled to strengthen their defences, investing heavily in DDoS mitigation technologies. The attack also exposed the fragility of shared internet infrastructure, where collateral damage to untargeted sites became a harsh reality. The incident prompted regulatory bodies to tighten cybersecurity regulations, transforming the digital security landscape.

When the 2015 Ashley Madison breach orchestrated by The Impact Team took place, it had profound repercussions. By leaking the personal information of millions of users, the hacktivists aimed to expose what they deemed unethical behaviour. The fallout was swift and severe, as individuals faced personal and professional ruin. This breach underscored the critical need for robust data privacy, pushing organisations to adopt stronger encryption methods and spurring regulatory bodies to enact stringent data protection laws like the GDPR. Simultaneously, the global rise in cyber insurance highlighted a growing recognition of the financial risks posed by data breaches. These stories, along with many others like the geopolitical cyber attacks in the Russia-Ukraine conflict, illustrate how hacktivism is reshaping the cybersecurity landscape, compelling us all to reconsider how we protect our digital lives.

How organizations can prevent hacktivism

And what can organizations do about hacktivism? As a first step, it is important to understand that hacktivism is not the same as online activism.

Recognize legal activism vs. illegal activism

Digital and online mediums serve as a platform for both activities. In some cases, both may even aim for a similar goal. The approach in each scenario, however, is vastly different. Hacktivism has its roots in cybercrime and uses illegal means to realize the desired impact. Online activism does not.

Harden your cyber defense strategies

Your cyber defense strategy against hacktivism may follow the standard industry best practice guidelines:

Encrypt sensitive information.
Adopt strong Identity and Access Management (IAM) controls.
Establish a business continuity plan and disaster recovery strategy.

Users should be encouraged to follow guidelines that prevent phishing, social engineering, careful handling of data on personal devices and using multi-factor authentication systems.

Likely targets of hacktivism

Government organizations, utility service providers, financial institutions and large tech companies are likely targets of hacktivism. This is primarily because they reach a wide audience and any attack on popular services is likely to gain the most public attention — which may spurn a response.

See an error or have a suggestion? Please let us know by emailing ssg-blogs@splunk.com.

This posting does not necessarily represent Splunk's position, strategies or opinion.

Muhammad Raza

Muhammad Raza is a technology writer who specializes in cybersecurity, software development and machine learning and AI.

Learn 7 Min Read

Software Liability Explained

Software liability is the legal responsibility of software development companies on issues related to the software they develop. Get all the details here.

Learn 5 Min Read

RAG: Retrieval Augmented Generation, Explained

Want to automate and optimize the outputs from your language models? Retrieval augmented generation is a fundamental technique. Learn about it here.

Learn 4 Min Read

AI Tools & Vendors for The Enterprise

Looking for AI tools for the enterprise? Read on for the full story about AI and software for business use cases.

About Splunk

The Splunk platform removes the barriers between data and action, empowering observability, IT and security teams to ensure their organizations are secure, resilient and innovative.

Founded in 2003, Splunk is a global company — with over 7,500 employees, Splunkers have received over 1,020 patents to date and availability in 21 regions around the world — and offers an open, extensible data platform that supports shared data across any environment so that all teams in an organization can get end-to-end visibility, with context, for every interaction and business process. Build a strong data foundation with Splunk.

Learn more about Splunk