Around the world, hacktivists appear to be hanging up their keyboards. But as hacktavism – carrying out cyberattacks for political or social reasons – declines, nation-states have increasingly been carrying out cyberattacks under the false flag of hacktivism.
That’s according to a report published by cybersecurity firm Recorded Future. The US firm’s research division, Insikt Group, assessed with “high confidence” that nation-state entities have been leveraging hacktivism activities to meet their own broader goals.
This includes working closely with legitimate hacktivists where the goals of the nation-state and hacktivist might overlap, or false-flag operations in which a nation-state will deliberately make their activity appear to be that of a hacktivist group.
By taking this false-flag hacktivism approach, nation-states can not only cover their tracks but also sow confusion, perhaps causing the victim of the attack to waste resources by investigating or responding against the wrong perpetrator.
“As nation-states and other advanced entities have been observed shifting to common tools and malware to obscure their activities, some operations have been similarly identified as conducted under the false flag of hacktivist or lone hacker activity,” the report states.
To spot the hacktivism trends, Insikt Group used Recorded Future’s proprietary threat intelligence platform to analyse more recent hacktivism incidents, then compared this data to reports of historical hacktivism stretching back ten years.
False flag hacktivism: From Sony to the DNC
Perhaps the most striking example of false flag hacktivism is the ‘Guccifer 2.0’ persona used by the hacker or hackers that stole the trove of emails and documents from the Democratic National Committee (DNC).
The stolen emails were then disseminated via WikiLeaks at critical times for then-presidential candidate Hillary Clinton during the 2016 US election campaign.
While Guccifer 2.0 was painted as a lone hacker, cybersecurity firms – notably Crodwstrike – linked the DNC cyberattack to Russia’s military intelligence agency, the GRU. In July 2018, 12 GRU agents were indicted by special counsel Robert Mueller for allegedly carrying out the DNC cyberattack.
Insikt Group also gives the Sony hack as an example of false flag hacktivism, in which a North Korean hacker group called the ‘Guardians of Peace’ leaked confidential film data, as well as Sony employee data. Later, US intelligence officials alleged that the North Korean government sponsored the attack – something the country has denied.
The Iranian-sponsored distributed denial of service (DDoS) attacks on US banks in 2016 is another example of false flag hacktivism.
“Although espionage operations have made use of false-flag tactics for a long time, the rise of voluntary hacktivist organisations allows an operator to easily claim an affiliation or identification with hacktivist activity, which may be difficult to disprove,” the report states.
The report also highlights TrendMicro research from 2018 that found that criminals had masqueraded as hacktavists when defacing websites, while the main goal was to infect the site with the banking Trojan Ramnit.
Hard times for unskilled hacktivists
The rise of website protection vendors could have made it more difficult for lower-skilled hacktivists to carry out attacks, said Insikt Group.
Companies such as Cloudfare and Akamai, for example, offer robust protection for websites from DDoS attacks – once an attack method of choice for hacktivists.
“There are still many targets susceptible to common hacktivist attack methodologies, but historic targets such as multinational financial institutions and large federal government organisations have in general made improvements to their security posture over the years,” the report said.
John TerBush, senior threat intelligence researcher at Recorded Future, told Verdict that the attribution of false flag hacktivism is difficult and that he expects no let up of such attacks:
“We think that false flag hacktivist operations will continue to be conducted and do not expect any significant reduction; in the case of Guccifer 2.0 and associated Russian operations, these were only documented as such through active intelligence gathering that acquired communications between the actual operators.
“This level of documentation and publicised investigation is an outlier. Part of the allure to nation-state actors is that it is difficult to detect the difference between a nationalist hacktivist conducting actions, perhaps even in coordination with a government, and a ‘true’ nation-state actor. This method creates plausible deniability and will continue to be a useful tool for nation-state actors.”
The false flag hacktivism trend overlaps with what Malcolm Taylor, formerly GCHQ and now director of cyber advisory at ITC Secure, described as “the privatisation of nation-state capabilities”. This sees the advanced cyber tools of nation-states appropriated by criminal groups, as demonstrated by the EternalBlue exploit that facilitated the WannaCry ransomware attack in 2017.