When most people think of a hacker, they think of a loner hiding in a dark basement, destroying computer systems and other digital resources for personal financial gain, or a sophisticated computer whiz employed by a foreign government up to no good.
However, in recent years, a growing number of hackers have been putting their skills to use for a different reason: activism. This trend, dubbed “hacktivism”, is on the rise and can have serious consequences for businesses of all sizes in all verticals and industries.
What is Hacktivism?
Information security researcher Dorothy Denning defines hacktivism as “the marriage of hacking and activism”, more specifically, using computers to achieve a political agenda through legally ambiguous means. As a general rule, hacktivism aims to obstruct normal computer and business activities in some way but, unlike other forms of hacking, does not necessarily aim to cause permanent injury or significant financial loss and is rarely motivated by financial gain.
Hacktivism Can Be a Force for Good….
When most readers think of hacktivism, they think of large-scale political movements and revolutions such as the Arab Spring, which depended at least in part on technology and hacktivism.
In 2011, when young protesters took to the streets in cities across the Middle East to rally against oppressive governments, some who had held power for decades, they were emboldened and assisted by technology. In the eyes of some, WikiLeaks and Anonymous played a key role in creating the social conditions that allowed the Arab Spring to happen by posting damning secret government documents online before the protests began.
A specific example of this hacktivism was the uprising in Tunisia, which was initially largely ignored by the foreign media. When members of Anonymous realized the significance of the uprising, they partnered with Tunisian dissidents to help them share videos of what was really going on on the ground with the outside world. They also created a “care packet” (available in English, Arabic, and French) that offered dissidents advice on how to conceal their identities on the internet to avoid detection by the former Tunisian regime’s cyberpolice.
Though most believe the Arab Spring to be a positive and necessary step, the hacktivism that accompanied it, particularly the act of disclosing confidential documents and personnel files indiscriminately, could endanger lives. Anonymous and similar hacktivist organizations do not always carefully vet what information they release, which could inadvertently expose innocent individuals to cybersecurity threats.
… But it Frequently Harms Innocent Organizations & Individuals
The goal of most hacktivists is to draw attention to a particular cause using virtual political activism. This can be a noble goal, as demonstrated during the Tunisian uprising, but not all hacktivists are so altruistic. Unfortunately, many hacktivists are also not particularly concerned about avoiding collateral damage while carrying out their activist activities, and innocent parties can be caught in the crossfire.
For example, while protesting the recent police actions on the Bay Area Rapid Transit (BART) system in San Francisco, a hacktivist posted the full names, addresses, and cell phone numbers of cover 2000 MyBART subscribers (ordinary transit users) online, increasing their chances of being targeted by identity thieves and other criminals.
In a recent article by PC World, a former member of Anonymous called “SparkyBlaze” admitted that he was “fed up with [Anonymous] putting people’s data online and then claiming to be the big heroes.” He also stated that “Getting files and giving them to WikiLeaks, that sort of thing does hurt governments. But putting user names and passwords on a Pastebin doesn’t [affect governments], and posting the info of the people you fight for is just wrong.”
While some hacktivist organizations, like other activist organizations, might be doing real good, too many are using the guise of activism to cause significant harm to innocent organizations and individuals.
As one article published in the Journal of Human Rights Practice puts it, unlike more familiar forms of activism, hacktivism can often be anonymous, allowing it to operate with a kind of impunity afforded by technology. As such, hacktivists are accountable to no one, not even organizations, groups, and individuals they aim to help, which is deeply problematic.
Many hacktivist organizations, including Anonymous and WikiLeaks, engage in highly questionable activities, which they are able to do because of the anonymous nature of hacktivism. Since there is no way to hold individuals accountable, they are incredibly dangerous, both for the problematic organizations and governments they target and for the rest of us.
A Brief History of Hacktivism: Six Infamous Events
While hacking has been around since the 1950s, hacktivism as a concept didn’t really emerge until 1989, when the first “hacktivist” action (referred to as Worms Against Nuclear Killers) took place.
Worms Against Nuclear Killers (1989)
The 1989 attack, which many believe to be the work of Melbourne-based hackers “Electron” and “Pheonix”, used a malware worm to infiltrate computers at both NASA and the US Energy Department. The worm altered the login screen of infected computers to display the message ”Worms Against Nuclear Killers” and was fueled by rising anti-nuclear sentiment. A second worm, called OILZ, was also deployed and contained bugs designed to prevent access to accounts and files by changing passwords. The goal of this attack was to attempt to shut down the DECnet computer network in the days before a NASA launch, causing disruption and costing roughly half a million dollars in damages and lost time.
Hacktivism has only grown in both scope and influence. Other influential campaigns include:
Hacktivismo Declaration (2001)
Hactivismo, an offshoot of the hacker group Cult of the Dead Cow (cDc), emerged when they released their declaration that aimed to elevate freedom of speech. During this event, the group explicitly attempted to both engage in civil disobedience and explain their reasoning behind their actions.
The declaration released by Hactivismo cited two United Nations’ documents: the International Covenant on Civil and Political Rights and the Universal Declaration of Human Rights, and included an FAQ that stated that the main purpose of their actions was to “cite some internationally recognized documents that equate access of information with human and political rights”.
As a result of their declaration, this group aimed to create both moral and legal grounds for future hacktivists to launch their campaigns. The group went on to release a web browser, called Peekabooty, that prevents censorship from nation-sates that deny or restrict internet access.
Project Chanology (2008)
When a video of actor Tom Cruise voicing his affiliation with the Church of Scientology appeared on YouTube, the church forced the video hosting platform to remove it. In response to the censorship, Anonymous launched a DDoS (Distributed Denial of Service) attack against the Church of Scientology website, which was also defaced. A series of prank calls and black faxes followed the DDoS attack, and Anonymous also distributed private church documents stolen from Scientology computers during a doxxing attack.
The hacktivist actions were also paired with in-person protests across the country where protesters donned the now infamous Guy Fawks masks associated with Anonymous.
US Executive Branch Attack (2013)
Presumably believed to be associated with Syrian President Bashar al-Assad, the Syrian Electronic Army (SEA) has carried out a number of attacks using both spear-phishing and DDoS attacks designed to compromise and deface government, media, and privately-held organizational websites.
The group successfully released a fake tweet claiming that an explosion at the White House had injured the President. After the tweet went live, the Dow briefly plunged 140 points. In 2016, the FBI charged two SEA-affiliated individuals with the attack.
Clinton Emails Leak (2016)
This attack, a joint venture between WikiLeaks and Russia’s foreign military intelligence directorate Glavnoye Razvedyvatel’noye Upravleniye (GRU), focused on emails between then-presidential candidate Hilary Clinton and her campaign manager. The emails were illegally obtained by GRU and released by WikiLeaks, and the goal was to discredit Ms. Clinton in order to further the campaign of her opponent Donald Trump.
Hackers used spear-phishing emails to steal credentials from DNC members and gain unauthorized access to the emails. The campaign significantly impacted the Clinton campaign and may have contributed to her loss. Following the leak, the US Department of Justice indicted 12 Russian hackers for the incident.
Black Lives Matter Movement (2020)
While the BLM (Black Lives Matter) movement reaches beyond the realm of hacktivism, the group Anonymous did throw their weight behind this movement protesting police corruption following the death of George Floyd. The group had also voiced similar condemnations in the past following the murders of Michael Brown and 12-year-old Tamir Rice.
In support of the social-justice-focused BLM movement, Anonymous released a video on Twitter that specifically criticized the Minneapolis police department in the wake of the shooting. As a result of the video, Anonymous’ Twitter account gained 3.5 million new followers in the following days, and the campaign has been linked to a series of DDoS attacks that briefly shut down the Minneapolis police department website, its parent website, and the Buffalo, New York government website over the course of a single weekend.
How Hacktivism Harms Businesses
While some hacktivist activities, such as creating open-source software that allows people in China to circumvent government censorship, are arguably good, we have seen that hacktivism also has a dark side.
Hackers of all stripes, including some hacktivists, often use open-source hacking tools to penetrate networks with the goal of paralyzing or destroying legitimate businesses. This can be done for a variety of reasons, including retaliatory action in the case of George Hotz.
Sony vs Hotz
In 2010, then-teenage researcher George Hotz (now President at comma.ai) was able to reverse-engineer the Sony private key and published it online. This allowed almost anyone with an internet connection to rewrite Sony’s firmware and classify themselves as a developer on the Sony network, gaining free access to all of Sony’s online games. This action adheres to the philosophy that many hacktivists and other hackers share, which deems that all information, even proprietary information, should be free.
In response to his actions, Sony sued Hotz, which attracted the attention of hacktivists. The company was targeted by several DDoS attacks and a data breach, which exposed the credit card numbers of 12 million innocent customers, as well as 75,000 “music codes” and 3.5 million “music coupons”, resulting in massive financial losses for the company. All and all, Sony estimates they lost about $173 million, including the cost of increased customer support, incentives to woo customers back, legal costs, loss of sales, and the costs to improve their cybersecurity systems.
Ultimately, regardless of the goal of the hacktivist organization, gaining unauthorized access to a company’s network or other digital assets is wrong, and companies need to take steps to ensure their cybersecurity posture is robust enough to thwart attacks and avoid or at least minimize damage.
Cybersecurity is complicated, and the field continues to evolve to respond to new threats, and keeping up to date is critical for safeguarding your organization and its digital assets. To help you expand your knowledge and stay up to date, please consider visiting our blog and reviewing these suggested educational articles and resources.
Cybersecurity Basics For All Organizations
- Hacked? Here’s What to Know (and What to Do Next)
- Building a Cybersecurity Incident Response Program
- Terms and Phrases Used in the Managed IT and Cybersecurity Industries
- The SMBs Guide to Getting Started with Cybersecurity
- Cyber Hygiene 101: Basic Steps to Keep Your Company Secure
- Identifying a Breach: Finding Indicators of Compromise (IOC)
- Making Sense of TTPs, Cybersecurity, and What That Means for Your Business
- The Shift From Cybersecurity Being a Want to a Need Just Happened
- What is a Managed Services Security Provider (MSSP)?
Cybersecurity Basics By Industry
- Cybersecurity Basics Every College and University Needs to Have in Place
- The Ultimate Guide to Cybersecurity in the Healthcare Industry
- The Rising Cost of Healthcare Industry Data Breaches
- How the Financial Industry Can Strengthen Their Cybersecurity
- Cybersecurity for the Manufacturing Industry, What You Need to Know
Minimizing Your Risks
- What Are the Risks of Using Unsupported Hardware?
- The Ultimate Guide to Managed Threat Intelligence (2020 Edition)
- Airports are a Hacker’s Best Friend (and Other Ways Users Expose Themselves to Risk)
- Keeping Your Network Secure in a “Bring Your Own Device” World
- Basic Website Precautions: Keep Intruders Out with these Fundamental Security Best Practices
Common Threats (and How to Avoid Them)
- The Modern Hacker: Who They Are, Where They Live, and What They’re After
- In a Remote World, Social Engineering is Even More Dangerous
- Hackers Are Increasingly Targeting People Through Their Phones
- How Fear Motivates People to Click on Spam
- Ransomware is Only Getting Worse: Is Your Organization Prepared to Confront it?
- Everything You Need to Know About Ransomware (2019 Edition)
- 5 Old-School Hack Techniques That Still Work (and How to Protect Your Data)
- DNS Spoofing: What It Is and How to Protect Yourself
- Don’t Let Phishing Scams Catch You Unaware
- Cryptojacking: Because Every Currency Needs to Be Protected
- Why Your Company Could Be the Next Equifax or CapitalOne