Hacktivism in 2023: From Grassroots Movements to State-Sponsored Threats
October 2023 by Check Point
Hacktivism is universally defined as the malicious use of digital tools, such as hacking, to stir up civil disobedience or promote a sociopolitical agenda. At its most innocent, it is a form of “digital vandalism” that will frustrate and inconvenience organizations, but extreme instances can lead to leaked information, intercepted data, the hijacking of company assets, even the systematic dismantling of an organization’s reputation. In short, it can be devastating.
In recent years, hacktivism has started to closely mimic battles in the real world, as seen with the Russo-Ukraine conflict and the war between Hamas and Israel. While the influence and impact of cyberattacks and hacktivism are less prominent during the height of combat, incidents have increased as digital and physical worlds collide.
The most common targets for hacktivist groups include government agencies, because they often hold opposing views and have the power to make changes, or multinational corporations who are perceived as being “bad” or having an adverse impact on society or the environment. In the current day, it’s difficult to say the word “Hacktivist” and not immediately think of Anonymous – the group responsible for swathes of non-violent digital protests usually taking the form of distributed denial of service (DDoS) attacks to bring their version of truth and justice to the world.
While Anonymous may have made hacktivism a household term, the real threat of hacktivism for businesses and government agencies runs much deeper. As detailed in Check Point’s 2023 Mid-Year Cyber Security Report, the average number of weekly cyberattacks is up 8% globally – the most significant increase in two years – largely driven by artificial intelligence, the escalating threat of organized ransomware groups, and hacktivism.
Last year saw the emergence of state-affiliated hacktivism, where hacktivist groups select their targets based on geopolitical agendas, in some cases funded or orchestrated by governments themselves. Take the Russian-affiliated “Killnet” group, for instance, who targeted western healthcare organizations in early 2023 with a series of DDoS attacks in response to the West’s support of Ukraine. Or “Anonymous Sudan”, a group that first appeared in January 2023 and has gone on to target the likes of Scandinavian Airlines and other Western organizations while promoting a pro-Islamic narrative. The group claims to be running a counter-offensive operation, choosing Western targets in retaliation to alleged anti-Muslim activities. Microsoft was one of the group’s latest targets, resulting in significant disruption to its Outlook email service and Azure hosting platform.
The changing face of hacktivism
We are now seeing hacktivism evolve from an individual or group of individuals into coordinated, often state-sponsored, organizations that have ideological motivations. However, while ideology might unite and motivate malicious actors, the democratization of technology has played a major role in the propagation and proliferation of hacktivist activities. Artificial intelligence, particularly Generative AI, is one example of an extremely powerful, scarcely regulated tool that is readily available. As organizations scramble to leverage AI capabilities as part of their cyber defense strategies, threat actors and hacktivist groups are working hard to leverage AI as part of their offensive efforts.
Interestingly, while technology such as generative AI certainly makes the generation of malicious code easier and more accessible, it is the same old vectors that threat actors are looking to exploit. AI is not being leveraged to improve malware itself, but rather its mode of delivery. Lookalike domains and phishing attacks remain among the most popular attack vectors, but AI is making fraudulent domains and fake emails more sophisticated and difficult to identify.
AI can also be leveraged to orchestrate sharper, faster DDoS attacks. A DDoS attack is when a server or website is flooded with artificial traffic requests to the point where it becomes overwhelmed and ceases to function. This year saw a record-breaking DDoS attack, which peaked at 71 million requests per second – no doubt a sign of things to come.
Limiting exposure to hacktivism
Hacktivist attacks are ideological in their nature, so for some businesses – particularly those operating in the public sector – exposure will be inevitable. Some businesses will find themselves in the crosshairs of hacktivists purely for existing, even if there is little to steal or no financial incentive. The partners, suppliers, and customers of targeted organizations can also get caught in the crossfire, meaning nowhere is safe. Being impacted by a hacktivist-led cyberattack is not necessarily a matter of if, but when.
However, there are some essential steps that businesses in both the private and public sectors can take, if not to limit their exposure to attacks, then limit their exposure to the risk that comes with being swept up in an attack. Robust data backups, for instance, will limit the power of any ransomware attack on a business, and make the tampering or deletion of data by hacktivists easier to deal with. Cyber awareness training for staff will also mitigate the effectiveness of lookalike domains or phishing tactics, along with zero-phishing technology that can detect zero-day phishing attempts – so called because they exploit known vulnerabilities within a system which the developers or vendors have “zero days” to fix.
The future of hacktivism
The future of hacktivism is poised to be multifaceted, with a blend of state-affiliated operations and grassroots movements. State-affiliated hacktivism is now an established threat, which means that tactics are likely to evolve and become more sophisticated thanks to external funding. Hacktivist groups, particularly those with transparent state affiliations, are likely to leverage larger and more powerful botnets to execute disruptive DDoS attacks on a scale previously unseen. The record-breaking DDoS attack, peaking at more than 71M requests per second, is a testament to this escalating trajectory.
There has also been some evidence of collaboration between groups with differing narratives, such as the pro-Islamic "Anonymous Sudan" and the Pro-Russian “Killnet”, which hints at a future where hacktivist groups might form alliances for mutual benefits, irrespective of their core ideologies. This convergence might lead to more coordinated and impactful attack campaigns. Increasingly, these groups are also masking hidden agendas behind politically motivated attacks, with hacktivist threat actors using ransomware campaigns as a revenue stream to fund other activities.
However, it is not just about state actors. Grassroots hacktivism, driven by social, environmental, or regional political causes, will continue to play a significant role. As global issues like climate change and human rights gain more attention, we can expect a resurgence of decentralized hacktivist movements. These groups, while not as resource-rich as their state-backed counterparts, can still cause significant disruption, especially when they rally the global online community around a cause.
We are also seeing a greater influence from technology, with deepfakes becoming a regular tool in the hacktivist arsenal. Deepfakes have been used to impersonate people of power and create propaganda in times of conflict, as seen with Ukrainian president Volodymyr Zelensky. These tools can be purchased with ease and used as part of social engineering attacks to access sensitive data.
In essence, as we move into 2024 and beyond, the lines between state-sponsored cyber operations and traditional hacktivism will blur. Organizations worldwide will need to be prepared for a diverse range of cyber threats, each with their own unique motivations and tactics.