In July 2015, a hacker who goes by the name of Phineas Fisher breached an Italian technology company that, ironically, sells spying and hacking software tools.
Fisher exfiltrated more than 400 gigabytes from the company, called Hacking Team, and declared that his motive was to stop its “abuses against human rights.”
“That’s the beauty and asymmetry of hacking: With 100 hours of work, one person can undo years of work by a multimillion-dollar company,” Fisher wrote online. “Hacking gives the underdog a chance to fight and win.”
Hacktivism, or the act of hacking into others’ computer networks to promote one’s political or other agenda, has been around as long as the internet. But the technology that’s available is easier and cheaper than ever, lowering the barrier of entry even for those with little experience.
“You don’t have to be an expert to have access and to cause damage to people and their websites,” says Rick Holland, vice president of strategy at Digital Shadows, which has tools to search the internet and the Dark Web to compile compromised information about their clients.
Anonymous, perhaps the most notorious hacking group, largely markets itself as hacktivists. But with the emergence of social media as a loud megaphone that also enables anonymity, other lesser-known hacktivists have become increasingly emboldened in heralding their cause and calling for others to join.
Here are five things every company should grasp about hacktivism:
- Hacktivists are true believers. They are individuals who often belong to a hacker network group online that shares their values and ideology. They can act alone or be prompted by a broader hacktivist campaign, such as OpIcarus or Ghost Squad Hackers. Hacktivists are motivated by branding their agenda—Operation X—and distinguish themselves from cyber criminals who merely pursue financial gains.
- Controversy can make you a target. Controversial individuals, companies and governmental and nongovernmental organizations often are targets. The list of past victims includes autocratic governments, politicians, agrochemical manufacturers, oil companies, pharmaceutical companies, genetically modified food makers, religious groups, social media websites and others. They generally target large organizations.
- Attacks can be widespread. Data on the frequency of attacks are hard to come by. But one group, Ghost Squad Hackers, plans to target banks, and their activity offers a glimpse of how quickly plans can proliferate. “We’ve seen 70 different organizations that they’ve announced are going to be targets,” Holland says.
- Attacks can take varied forms. Hackers can compromise the target’s computer systems in all the ways that are available to cyber criminals. They can set up a phishing domain that looks like the target’s domain in order to acquire sensitive information, such as passwords and company data. Using Twitter or other social media channels, they may coordinate a distributed-denial-of-service attack on a web page to take it down.
- The best defense: Use security best practices, keep a low profile. All the usual cybersecurity steps should be established, such as virtual private networks, multifactor authentication protocol, firewalls and tools to guard against DDoS attacks. Companies should undergo a “threat modeling exercise” to determine how they’d respond in the event of an attack, Holland says. Knowing who to call for help is important.
But “there’s a lot of blurring of the lines between criminals, espionage actors and hacktivists,” Holland says. “It’s oftentimes difficult to tell who it is. You see some of the cybercriminal organizations that might moonlight take contracts.”
Small- to medium-size businesses typically are not on their radar unless they operate in controversial industries. A small supplier to GMO manufacturers, for example, potentially could be a target. “Hacktivists can come after you because of that relationship in the supply chain,” Holland says.
“We may find this out and then we can tell the company ‘Look we’re seeing a campaign against one of your executives,” Holland says. “We give them an idea of a risk to their staff that they didn’t know about.”
Organizations that can afford cloud-based services also should consider them, as they can move their traffic up to the cloud if they’re attacked. “If you’re a big bank, you can afford those kinds of services. But if you’re a smaller-tier company, (you should ask) ‘Do I need to spend that kind of money?’ That’s a difficult question,” Holland says.
Executives should be trained by the PR staff or consultants to be more careful when speaking publicly and not say things that could incite hacktivists, Holland says. Suppliers also should be alerted about the possible dangers.
“A lot of hacktivists are typically younger, idealistic people who are getting attached to these causes. So there’s no shortage of that,” he says. “This will never end.”