Our Views:
This month’s theme is “Hacktivism”.
What is Hacktivism?
The Merriam-Webster dictionary defines hacktivism as “computer hacking done to further the goals of political or social activism”. Hacktivists are those engaging in hacktivism and historically have been decentralised groups of individuals acting together out of a sense of common purpose.
Hacktivists differ from other cybercriminal groups in that they are driven and united by an ideology, principle or cause. These can be political, religious, or regional issues.
Hacktivist groups came to the attention of the general public and the security community around ten years ago when they launched high-profile campaigns against targets such as the Church of Scientology, Visa, Mastercard, and Amazon. They also became heavily affiliated in political struggles such as the “Arab Spring” at that time. Some of the more well-known groups include Anonymous, Lulzsec, and the Syrian Electronic Army.
Methods Used
Hacktivists have traditionally used Distributed Denial of Service attacks (DDoS), website defacement and customer data theft as their primary methods of attack.
In the last two years, hacktivist activity has primarily focussed on the defence of civil rights and operations against child abuse, terrorism, and hate crimes. Whilst these causes seem worthy, the techniques used to achieve hacktivists’ goals are often criminal and can cause significant harm to businesses and individuals. Business disruption as a result of large-scale DDoS attacks and data leaks can lead to substantial financial loss. Even short-term website defacement can cause reputational damage to a business.
Hacktivists are known to directly attack businesses whom they believe are engaging in morally corrupt activities, such as Visa refusing to process donations made for Julian Assange or the Ashley Madison website promoting extramarital affairs. In the case of Ashley Madison, the impacts of the 2015 data breach and release of thousands of customers confidential data are still being felt today with victims still being subject to bribery attempts and the attack costing Ashley Madison over $30 million in fines and recovery costs.
During the current Covid-19 crisis some cybercriminals eased off on targeting healthcare facilities, however hacktivist groups were very vocal about maintaining their campaigns against large pharmaceutical companies whom they believe are profiting from the pandemic. This is of concern to some as it has the potential to delay the development of a vaccine.
Whilst it is generally thought that businesses who are closely linked to a nation (such as a national bank) are more likely to be targeted by hacktivists, companies from a diverse range of industries have been attacked. Sometimes for seemingly innocuous business dealings such as heavy machinery maker Caterpillar Inc. who has suffered multiple attacks related to the sale of bulldozers to Israel. Businesses can also suffer collateral damage from hacktivism due to general disruptions (like nationwide internet service outages) or supply chain disruptions.
Learning from hacktivist attacks
Verizon’s Data Breach Investigation Reports (DBIR) show that in previous years, hacktivists have been responsible for leaking more personal data records than cyber-criminals. With the NZ Privacy Act 2020 strengthening the obligations New Zealand businesses have around protecting sensitive data it is an appropriate time to review what lessons can be gleaned from previous hacktivist breaches and how companies should mitigate against this threat in 2020.
Remain Wary
Large scale hacktivist attacks are not random. The Ashley Madison website was targeted because it was seen as immoral or profiting “off the pain of others”. If you suspect your business may be at risk from hacktivism, it is a good idea to add this scenario to your Incident Response plan and playbooks. Ensure you also include a thorough Public Relations and communications plan. However, you do not have to be in an “obviously” controversial industry (such as oil) to be wary, as any organisation has the potential of being a target, by someone willing to try to embarrass or damage your reputation. As such, if your organisation would suffer from the release of personal customer information, you should remain vigilant.
Monitor not only the threat landscape, but the social climate
Despite hacktivism dropping from the major headlines for several years, Crowdstrike intelligence has recently seen an overall increase in hacktivism and groups, who had previously been quiet, once again beginning active operations. Anonymous claimed responsibility recently for convincing Korean pop music fans to hijack white supremacist Twitter hashtags in support of Black Lives Matter. Shortly after the assassination of Iran’s Major General Qasem Soleimani in early 2020, Digital Shadows also identified an increase in activity from pro-Iran hacktivists, the first such activity since campaigns in 2015 and 2016.
Accenture’s 2019 Cyber Threatscape Report predicts that events with global reach such as the Olympics may become a setting for hacktivist cyber threat activity. Threat actors have previously carried out hacktivism campaigns against the World Doping Agency (WDA), and the 2018 PyeongChang Winter Olympics.
Continuously Improve your Cybersecurity Maturity
Despite Ashley Madison encrypting most of their stored passwords, a subset (15 million) were able to be compromised using a brute force attack. Inconsistently applied security measures can occur as networks evolve, and it is a reminder that reviewing, upgrading and working to improve your cybersecurity posture continuously is vital. While you can never be entirely secure, constant improvement can help ensure you are continuing to meet obligations in regard to securing data as technology changes.
Ensure Robust Management of the Full Data Lifecycle – Including Deleting
In the Ashley Madison example, the hacktivists exposed a large amount of data which supposedly had been previously deleted. Ensure you have a robust method for the permanent and irretrievable deletion of all copies of data that are no longer required to be held by your business. This requires that you are aware of where all possible copies of data are held, including any mailboxes, third party cloud-based storage, or related applications.
Have Sufficient DDoS Mitigation
As many hacktivists use DDoS attacks, you should understand your DDoS mitigation service-level agreements to ensure you are protected in the event of a widespread attack. Your response plan and procedures should reflect your current protections and your team should be fully aware of how to engage and use these services if required.
Validate that Your Data is Secure Finally, consider hiring an external company to test your security measures via Penetration Testing and Vulnerability Assessments.
About the Bulletin:
The NZ Incident Response Bulletin is a monthly high-level executive summary containing some of the most important news articles that have been published on Forensic and Cyber Security matters during the last month. Also included are articles written by Incident Response Solutions, covering topical matters. Each article contains a brief summary and if possible, includes a linked reference on the web for detailed information. The purpose of this resource is to assist Executives in keeping up to date from a high-level perspective with a sample of the latest Forensic and Cyber Security news.
To subscribe or to submit a contribution for an upcoming Bulletin, please either visit https://incidentresponse.co.nz/bulletin or send an email to bulletin@incidentresponse.co.nz with the subject line either “Subscribe”, “Unsubscribe”, or if you think there is something worth reporting, “Contribution”, along with the Webpage or URL in the contents. Access our Privacy Policy.
This Bulletin is prepared for general guidance and does not constitute formal advice. This information should not be relied on without obtaining specific formal advice. We do not make any representation as to the accuracy or completeness of the information contained within this Bulletin. Incident Response Solutions Limited does not accept any liability, responsibility or duty of care for any consequences of you or anyone else acting, or refraining to act, when relying on the information contained in this Bulletin or for any decision based on it.
Incident Response Solutions 