Five things all organizations should know about ‘hacktivism’

With no end to attacks in sight, companies must put solid defenses in place

 
Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someonePrint this page

In July 2015, a hack­er who goes by the name of Phineas Fish­er breached an Ital­ian tech­nol­o­gy com­pa­ny that, iron­i­cal­ly, sells spy­ing and hack­ing soft­ware tools.

Fish­er exfil­trat­ed more than 400 giga­bytes from the com­pa­ny, called Hack­ing Team, and declared that his motive was to stop its “abus­es against human rights.”

That’s the beau­ty and asym­me­try of hack­ing: With 100 hours of work, one per­son can undo years of work by a mul­ti­mil­lion-dol­lar com­pa­ny,” Fish­er wrote online. “Hack­ing gives the under­dog a chance to fight and win.”

Hack­tivism, or the act of hack­ing into oth­ers’ com­put­er net­works to pro­mote one’s polit­i­cal or oth­er agen­da, has been around as long as the inter­net. But the tech­nol­o­gy that’s avail­able is eas­i­er and cheap­er than ever, low­er­ing the bar­ri­er of entry even for those with lit­tle experience.

Rick Holland, Digital Shadows vice president of strategy
Rick Hol­land, Dig­i­tal Shad­ows vice pres­i­dent of strategy

You don’t have to be an expert to have access and to cause dam­age to peo­ple and their web­sites,” says Rick Hol­land, vice pres­i­dent of strat­e­gy at Dig­i­tal Shad­ows, which has tools to search the inter­net and the Dark Web to com­pile com­pro­mised infor­ma­tion about their clients.

Anony­mous, per­haps the most noto­ri­ous hack­ing group, large­ly mar­kets itself as hack­tivists. But with the emer­gence of social media as a loud mega­phone that also enables anonymi­ty, oth­er less­er-known hack­tivists have become increas­ing­ly embold­ened in herald­ing their cause and call­ing for oth­ers to join.

Relat­ed sto­ry: Anato­my of an attack: Lever­ag­ing Twit­ter to dis­rupt bank­ing websites

Here are five things every com­pa­ny should grasp about hacktivism:

• Hack­tivists are true believ­ers. They are indi­vid­u­als who often belong to a hack­er net­work group online that shares their val­ues and ide­ol­o­gy. They can act alone or be prompt­ed by a broad­er hack­tivist cam­paign, such as OpI­carus or Ghost Squad Hack­ers. Hack­tivists are moti­vat­ed by brand­ing their agenda—Operation X—and dis­tin­guish them­selves from cyber crim­i­nals who mere­ly pur­sue finan­cial gains.

But “there’s a lot of blur­ring of the lines between crim­i­nals, espi­onage actors and hack­tivists,” Hol­land says. “It’s often­times dif­fi­cult to tell who it is. You see some of the cyber­crim­i­nal orga­ni­za­tions that might moon­light take contracts.”

• Con­tro­ver­sy can make you a tar­get. Con­tro­ver­sial indi­vid­u­als, com­pa­nies and gov­ern­men­tal and non­govern­men­tal orga­ni­za­tions often are tar­gets. The list of past vic­tims includes auto­crat­ic gov­ern­ments, politi­cians, agro­chem­i­cal man­u­fac­tur­ers, oil com­pa­nies, phar­ma­ceu­ti­cal com­pa­nies, genet­i­cal­ly mod­i­fied food mak­ers, reli­gious groups, social media web­sites and oth­ers. They gen­er­al­ly tar­get large organizations.

 Small- to medi­um-size busi­ness­es typ­i­cal­ly are not on their radar unless they oper­ate in con­tro­ver­sial indus­tries. A small sup­pli­er to GMO man­u­fac­tur­ers, for exam­ple, poten­tial­ly could be a tar­get. “Hack­tivists can come after you because of that rela­tion­ship in the sup­ply chain,” Hol­land says.

• Attacks can be wide­spread. Data on the fre­quen­cy of attacks are hard to come by. But one group, Ghost Squad Hack­ers, plans to tar­get banks, and their activ­i­ty offers a glimpse of how quick­ly plans can pro­lif­er­ate. “We’ve seen 70 dif­fer­ent orga­ni­za­tions that they’ve announced are going to be tar­gets,” Hol­land says.

• Attacks can take var­ied forms. Hack­ers can com­pro­mise the target’s com­put­er sys­tems in all the ways that are avail­able to cyber crim­i­nals. They can set up a phish­ing domain that looks like the target’s domain in order to acquire sen­si­tive infor­ma­tion, such as pass­words and com­pa­ny data. Using Twit­ter or oth­er social media chan­nels, they may coor­di­nate a dis­trib­uted-denial-of-ser­vice attack on a web page to take it down.

We may find this out and then we can tell the com­pa­ny ‘Look we’re see­ing a cam­paign against one of your exec­u­tives,” Hol­land says. “We give them an idea of a risk to their staff that they didn’t know about.”

• The best defense: Use secu­ri­ty best prac­tices, keep a low pro­file. All the usu­al cyber­se­cu­ri­ty steps should be estab­lished, such as vir­tu­al pri­vate net­works, mul­ti­fac­tor authen­ti­ca­tion pro­to­col, fire­walls and tools to guard against DDoS attacks. Com­pa­nies should under­go a “threat mod­el­ing exer­cise” to deter­mine how they’d respond in the event of an attack, Hol­land says. Know­ing who to call for help is important.

Orga­ni­za­tions that can afford cloud-based ser­vices also should con­sid­er them, as they can move their traf­fic up to the cloud if they’re attacked. “If you’re a big bank, you can afford those kinds of ser­vices. But if you’re a small­er-tier com­pa­ny, (you should ask) ‘Do I need to spend that kind of mon­ey?’ That’s a dif­fi­cult ques­tion,” Hol­land says.

Exec­u­tives should be trained by the PR staff or con­sul­tants to be more care­ful when speak­ing pub­licly and not say things that could incite hack­tivists, Hol­land says. Sup­pli­ers also should be alert­ed about the pos­si­ble dangers.

A lot of hack­tivists are typ­i­cal­ly younger, ide­al­is­tic peo­ple who are get­ting attached to these caus­es. So there’s no short­age of that,” he says. “This will nev­er end.”

More sto­ries relat­ed to hactivism:
Cyber­se­cu­ri­ty a con­cern for can­di­dates on 2016 cam­paign trail
Despite pre­cau­tions, DDoS attacks becom­ing more dire, damaging
Chaos the­o­ry takes root in after­math of Sony Pic­tures hack