A water reservoir overflows in Texas, Russian news services disabled on Putin's birthday, Italian healthcare facilities hit by DDoS attacks, industrial control systems infiltrated by specialized malware. Thehacktivism seems to be back in fashion, but there is something profoundly different compared to the past. How many times have we found ourselves scrolling through news of cyber attacks attributed to groups of pro-this or pro-that “digital activists”, imagining them as techno-anarchist rebels fighting against the system? The reality that emerges from the analyses of security experts is different, almost an open secret: behind many of these operations are hidden government agencies, military intelligence and well-organized offensive cyber-units. Hacktivism, in short, has become the perfect mask for state operations that do not want to be identified as such. But let's take a small step back.
Hacktivism, what is it? Hacktivism is a form of digital activism that combines hacking with social or political engagement. Hacktivists use cyber techniques, such as attacks on websites or the dissemination of information, to support causes such as freedom of information, human rights or transparency. They do not aim for financial gain, but seek to raise public awareness or protest against governments and companies.
The Hidden Face of Modern Hacktivism
Contemporary hacktivism has little in common with the “digital vandals” of the 90s and 2000s. It is no longer a matter of website defacements or digital political manifestos. Security experts agree on one point: the tactics, objectives, and timing suggest something calculated, well-connected to the interests of nation states.
At the beginning of the year, Dragos (cybersecurity firm specializing in operational technology) revealed that inApril 2024 the pro-Ukrainian group BlackJack compromised a Moscow municipal organization that manages the communications system for the city's gas, water, and sewage networks. They didn't just penetrate routers and gateways, but deployed a malware specifically for industrial control systems called Fuxnet. According to Dragos, this is only the eighth known ICS (Industrial Control System) malware in the world. Not exactly the kind of tool you'd expect from amateur activists.
The things that are happening now under the guise of hacktivism (perhaps independent, or perhaps state-sponsored, but at the very least the states are intentionally looking the other way) are highly sophisticated groups now doing destructive things.
Evan Dornbush, former computer network operator of the NSA, hit a nail on the head: these are not “just concerned citizens rooting for their country.” They are mechanisms deliberately used to provide states with plausible deniability.
The Resurgence of Hacktivism as a Tool of War
The “rebirth” of hacktivism does not coincide with the outbreak of the conflict in Ukraine in 2022. The “brotherhood” of Russian-speaking hackers has split, and various groups such as killnet, Anonymous Russia e Anonymous Sudan have sided with the Kremlin’s interests. However, the first attacks, although heavy, were not very successful: mainly DDoS (Distributed Denial of Service) of “annoying” level against public websites of critical infrastructures. But things changed quickly.
As emphasized John Hultquist, chief analyst of the threat intelligence group of Google: “One of the remarkable things about hacktivism: it’s rarely about impact as much as it is about visibility. The claims often outstrip reality.” This doesn’t mean, of course, that hacktivist attacks have zero impact. The psychological impact is real and can erode consumer trust in a company, government agency, or critical processes like elections.
La series of attempts Group CyberArmyofRussia_Reborn1 to disrupt Texas water systems at the beginning of the 2024 had exactly this kind of impact. Only one known intrusion caused a malfunction, leading to the overflow of a water tank. They did not poison the water supply or prevent people from turning on their home faucets and drinking clean water. But they crossed a red line.
The Accessibility of Hacktivism
I don't want to sell you the idea that all hacktivists are government agents in disguise. These groups, and their motivations, run the gamut. And, as is often the case with many things in life, modern technology makes their job easier. Sites DDoS-for-hire (also known as booters or stressors), initial access brokers who sell stolen credentials that other criminals can use to hack computers, and the broader commodification of cybercrime are lowering the barriers to entry for bad actors looking to carry out any type of cyberattack.
David Mound, senior penetration tester at SecurityScorecard, stresses that “the skills vary among hacktivist groups. But the advantage they have today is that there are dark-web services for rent, and they can be quite cheap and accessible even for non-technical people”. Considering that criminals can purchase a DDoS attack on the dark web for as little as $10, “it’s financially accessible, it’s technically accessible. The ‘business of evil’ is getting easier.”
The States Behind the Mask
At the other end of the spectrum are top-tier, government-backed groups that pose as hacktivists. They use attention-grabbing attacks to target critical infrastructure or as a smokescreen for espionage and other stealthy cyber activities. Hultquist is lapidary: “There are hacktivists who simply aren’t hacktivists. They claim to be motivated by ideology, but in reality they are simply following orders.”
Already in 2014 we witnessed the infamous hack di Sony Pictures Entertainment, during which it is strongly suspected that North Korea, posing as a hacktivist group called Guardians of Peace, wiped out Sony's infrastructure and leaked information.
More recently, Google he connected Sandworm, the offensive cyber arm of Russia's military intelligence unit CRANE, to cyber attacks on US and European water facilities, along with other wartime disruption operations. But they have used hacktivist characters on Telegram channels like XakNet Team, CyberArmyofRussia_Reborn1 e Solntsepek to publicize illegal activities and share stolen data, thus masquerading as an independent hacktivist effort. Even the very famous “Anonymous,” which in itself is a label only good for making headlines, always seems ready to attack specific targets, at specific times, as if moved by a strategic hand. Be careful about cheering.
A Future of Hybrid Threats
At the end of 2023, FBI, NSA, CISA and other federal agencies have charged CyberAv3ngers, a group affiliated with the Islamic Revolutionary Guard Corps (IRGC), has breached “multiple” U.S. water systems across the country. And it didn’t require much sophistication on the hackers’ part. According to federal authorities, the group likely breached U.S. water systems using default passwords for programmable logic controllers that are accessible over the Internet.
The same group, however, was later caught using a custom malware called IOCONTROL to attack and remotely control water and fuel management systems in the United States and Israel.
It strikes me how thin the line is between hacktivism and government operations. It is no longer possible to clearly distinguish digital activism from intelligence operations. Hacktivism 2.0 is a tool of hybrid warfare, a convenient mask for operations that states prefer not to directly claim. The future of cybersecurity will have to deal with this reality: the most dangerous threats to computer security they may come not from traditional criminal groups, but from state operators hiding behind the identity of “activists”.
The old hacktivism is dead; I wish a short life to the new hacktivism, a government weapon that does not have the courage to say its name.
1 comment on “Hacktivism 2.0: when there is a State behind “Anonymous””
Comments are closed.