Hacktivism Could Become a Threat When Secretly Backed by Nation States

• Hacktivism’s evolution could turn it into a threat for organizations everywhere.
• The line gets blurred between launching cyberattacks for political or social reasons and state-backed operations.
• This makes it a more powerful threat, together with actors’ increasingly sophisticated and aggressive tactics.

After a surge in hacktivism starting with Russia’s invasion of Ukraine in February 2022, politically motivated groups and individuals employing growingly complex and offensive maneuvers worry ESET security researchers. 

They believe many of these attacks are secretly linked to nation-states, which either form the groups or support them. This blurs the line separating state-sponsored cyber operations from standard hacktivism.

The Red Cross even issued a set of rules last year for “civilian hackers” to use during wartime since their operations affect hospitals, pharmacies, and banks, but adherence was low.

Tactics employed recently, especially amid the Israel-Hamas conflict, are similar to previous hacktivist campaigns that use DDoS attacks, website defacement, and stolen data. However, more targeted and sophisticated additions have been observed. Two reports say hacktivists were seen exploiting API vulnerabilities of alert apps for citizens and others allegedly infiltrating the Israeli water system’s devices. 

Hacktivist group AnonGhost gained control of a real-time missile alert app for Israeli citizens, abusing a Red Alert API flaw and sending spam messages via Python scripts, even managing to send fake nuclear bomb alerts to civilians. Others claimed breaching Israeli water systems’ SCADA devices, which was not confirmed by researchers.

Geopolitical and ideological motivations can lead some countries to use the pretense of hacktivism to conduct state-backed efforts directed at other nations and their allies. Suspected Russia-affiliated groups have apparently been doing this for some time. 

These include attacks on many Western targets by Anonymous Sudan and Killnet, who claimed The Jerusalem Post and industrial control systems (ICS) attacks, and the websites of an Israeli government and security agency, Shin Bet, respectively.

Hints that state-backed efforts have other agendas include disinformation via AI-generated images that create a strong emotional reaction, such as fake missile strikes, tanks in ruined neighborhoods, families searching for survivors, or a baby crying in a bomb wreckage. Disinformation is also spread via fake social media and Telegram accounts.

Following the Hamas attack, security researchers have observed suspiciously coordinated activity that could suggest state involvement, with one study saying “at least 30 hacktivist groups immediately pivoted activity to the conflict within 48 hours.”

The threat of genuine hacktivists, those who follow state interests, or covert nation-state operatives remains the same as it affects private sector organizations siding with one team or another.

Security researchers advise taking more measures to mitigate hacktivist risk, including plugging vulnerabilities or misconfigurations, using zero-trust architecture and multi-factor authentication, applying robust encryption, and continuously awareness-training employees.