research.checkpoint.com Open in urlscan Pro
141.193.213.21  Public Scan

Form analysis
0 forms found in the DOM

Text Content

 * CheckPoint.com
 * 
 * 
 * 
 * 
 * 
 * 

 * Publications
   * Threat Research
   * CPRadio
   * Attack Reports
 * Tools
   * CPR Zero- Vulnerability Repository
   * Evasion techniques Encyclopedia
   * Anti-Debug Tricks
   * SandBlast File Analysis
   * How-To Guides
   * URL Categorization
   * Instant Security Assessment
   * Live Threat Map
 * About Us
 * Contact Us
 * Subscribe
 * 

MENU




THE NEW ERA OF HACKTIVISM – STATE-MOBILIZED HACKTIVISM PROLIFERATES TO THE WEST
AND BEYOND

September 29, 2022


INTRODUCTION

Until last year, hacktivism has primarily been associated with groups like
Anonymous – decentralized and unstructured collectives made up of private
individuals with a variety of agendas. Anonymous has launched multiple campaigns
against a wide range of targets based on the preferences and wishes of its
members. There was no real ideological affiliation or connection between the
group’s members, and apparently no long-term agenda. Anyone, regardless of
political affiliation, is welcome to join.

In the past year, things have changed. As one of the multiple fallouts of
conflicts in Eastern Europe and the Middle East, some hacktivism groups stepped
up their activities in form and focus to a new era; Hacktivism is no longer just
about social groups with fluid agendas. The upgraded hacktivism is better
organized, structured and more sophisticated. Though the change began in
specific conflict-related geographical regions, it has now spread west and even
further. Major corporations and governments in Europe and the US are being
heavily targeted by this emerging type of hacktivism. In recent months, the US,
Germany, Lithuania, Italy, Estonia, Norway, Finland, Poland and Japan suffered
severe attacks from state-mobilized groups, which in some cases have had a
significant impact. The recent attacks targeted not only the governments of
these countries, but also major corporations like Lockheed Martin, a global
defense contractor. Also, the latest large-scale attacks on the Albanian
government were executed by a state-mobilized hacktivist group.

The major hacktivist groups that appeared in the last year share many
characteristics of structured organizations: clear and consistent political
ideology, a well-designed hierarchy for members and leadership, a formal
recruitment process and even tools that the groups provide to their members. In
addition, the groups and their members are aligned on the targets, and in a few
cases, there is even organized cooperation between groups. In addition, the
groups also have robust public relations operations to publicize and promote
their successes, including on major media channels and websites.

All this allows the new hacktivism groups to be mobilized to governmental
narratives and achieve strategic and broad-based goals with higher success
levels – and much wider public impact – than ever before. Hacktivist groups no
longer consist of a few random individuals who carry out small DDoS or
defacement attacks on low-tier websites. These are coordinated organizations
which launch organized large-scale DDOS and disruptive attacks against their
targets, with far-reaching public relations. Therefore government agencies and
organizations should consider themselves duly warned.



OLD SCHOOL HACKTIVISM

Examples of old-school hacktivist attacks include campaigns like Operation KKK
against Ku Klux Klan supporters and members, the campaign against the United
Nations in retaliation for not granting a seat to Taiwan, Operation AntiSec,
whose goal was to steal and publish classified government documents, #Opwhales
to support whale preservation, and more. In some cases, there were even
contradictory campaigns executed by Anonymous within the same year, such as the
#OpTrump and #OpHillaryClinton campaigns.



Figure 1 – Example of contradictory campaigns executed by Anonymous 

 


HACKTIVISM MODEL 2022 – MOBILIZATION TO GOVERNMENT AGENDAS

The shift in hacktivism began quietly 2 years ago in the Middle East, with
several hacktivist groups like Hackers of Savior, Black Shadow and Moses Staff
that focused exclusively on attacking Israel. Most did not hide their
affiliation with the Iranian regime’s anti-Israel narrative. In parallel,
several other groups in the Middle East, the most prominent being Predatory
Sparrow, focused solely on attacking pro-Iranian targets. Their only shared
agenda is opposition to the Iranian regime.

The geo-political agenda that mobilized hacktivism is not limited to the Middle
East but is also an essential part of the Russian-Ukrainian war. In early 2022,
the Belarusian Cyber-Partisans group, formed in 2020 to oppose the Belarussian
government, began launching destructive cyber-attacks to stymie Russia’s troops.

The IT Army of Ukraine was publicly mobilized by the Ukrainian government to
attack Russia. The new hacktivism also saw groups that supported the Russian
geopolitical narrative, with groups like Killnet, Xaknet, From Russia with Love
(FRwL), NoName057(16), and more.

Although the new hacktivism started in specific and limited geographical areas,
the Russian-mobilized groups soon turned their focus from being solely on
Ukraine, but on anyone opposing the Russian agenda, i.e. Europe, the United
States and even Asia. This included significant attacks on governments and major
corporations in the US, Lithuania, Italy, Estonia, Norway, Finland, Poland,
Japan, and more.

These groups have also clearly stated agendas supporting Russian information
warfare and interests, as we can see in the manifest of Noname057(16).

 



Figure 2 – Manifest of Noname057(16) group 

This group has a clear pro-Russian agenda, and has been regularly targeting
Ukraine, and expanding their focus. During the last few months, Noname057(16)
targeted many countries in the European Union which publicly supported Ukraine,
such as Poland, Lithuania, Latvia, Slovakia and Finland. NoName057(16) also
notably attacked the website of the Finnish Parliament in August, after Finland
expressed interest in joining NATO.



Figure 3 – Noname057(16) targeting of Finnish Parliament

From Russia with Love (FRwL) is another group that sticks to the same
state-mobilized modus operandi but gets less public attention. The group focuses
on publishing private information on its Telegram channel and claims to have
committed several attacks on “Russia’s enemies.” They claim to have gained
sensitive information on Estonia and Lithuania by accessing Telegram channels
related to the Ukrainian Security Service. FRwL joined the wave of attacks on
Lockheed Martin and its subcontractors who produce HIMARS, that are part of the
American assistance delivered to Ukraine. FRwL also claimed to breach Gorilla
Circuits, a USA Printed Circuit Board Manufacturer, who are one of Lockheed
Martin’s suppliers.

On the other side of the conflict, there are also multiple mobilized hacktivist
groups who side with Ukraine. Some, like the IT Army of Ukraine, are officially
run by the Ukrainian government. The IT Army of Ukraine was established days
after the Russian invasion began and coordinated skilled volunteers from all
over the world to operate under Ukrainian directive. According to CSS Zurich,
the IT Army consists of both multiple global volunteers that work to coordinate
DDoS attacks against Russian targets, and an additional team that works on
deeper levels, perhaps comprised of Ukrainian defense and intelligence experts
that can carry out more complicated cyber operations against specific Russian
targets.

One of the most dominant groups joining the IT Army of Ukraine is TeamOneFist,
the Pro-Ukraine collective that in August targeted Khanty-Mansiysk City in
Russia, damaging the natural gas power plant and also causing a blackout at its
airport.



Figure 4 – Team OneFist claims on the attack against Khanty-Mansiysk city in
Russia

Although the pro-Ukrainian-mobilized groups currently focus exclusively on
Russia, they still established precedents for state-affiliated and mobilized
hacktivism.

During the last few months, we also saw a clear proliferation of Iranian
state-mobilized hacktivism targeting Europe and NATO. On July 15, 2022, Albania
suffered a serious cyberattack which temporarily shut down numerous Albanian
government digital services and websites. The group that took responsibility for
this attack is a hacktivist group called Homeland Justice, which is affiliated
with Iran’s Ministry of Intelligence and Security. In this case, Homeland
Justice clearly serves the Iranian government’s agenda against Mujahedin-e-Khalq
(MEK), an Iranian dissident group sheltered by the Albanian government.

 


KILLNET CASE STUDY – STARTING EAST AND GOING WEST

One of the major actors in the hacktivist ecosystem is Killnet, which was
publicly launched around the end of February 2022, at the start of the
Russian–Ukrainian war. The group began their aggressive activity in March, with
targets mostly in Ukraine. However, in April the group completely shifted its
focus to support Russian geopolitical interests all over the world. Between late
February and September, the group claimed to have executed more than 550
attacks. Only 45 of them were against Ukraine, less than 10% of the total number
of attacks.

 



Figure 5 – Distribution of Killnet attacks by country

Many of those attacks were against high-profile targets like major government
websites, large financial companies, airports, and more. While in some cases it
is difficult to understand the real impact, in many cases the attacks were
clearly successful. They caused downtime for major websites, many of which
provide essential public services.

Here are several examples of the attacks executed by Killnet:

 1. In March, the group executed a DDoS attack on Bradley International Airport
    in Connecticut (US). The US authorities confirmed an attempted large-scale
    DDOS attack on the airport’s website.



Figure 6 – Announcement about the attack against Bradley International Airport

 2. In April, websites belonging to the Romanian Government, such as the
    Ministry of Defense, Border Police, National Railway Transport Company and a
    commercial bank, were rendered unreachable for several hours. These attacks
    were in response to a statement made by the Romanian leader of the Social
    Democratic Party Marcel Ciolacu, who offered to provide weapons to Ukraine.



Figure 7 – Announcement about the attack against the Romanian government

 3. In May, major DDOS attacks were executed against two major EU countries:
    * Several German targets were affected, including German government and
      politicians’ websites, among them Chancellor Olaf Scholz’s
      party-affiliated site, Germany’s Defense Ministry, the German Parliament,
      Federal Police and several state police authorities. All this was a
      response to the Scholz administration’s efforts to supply military
      equipment to Ukraine. The government authorized the transfer of 50 Gepard
      anti-aircraft installations and announced the delivery of seven
      self-propelled, rapid-fire artillery systems.
    * Italy’s Parliament, military and National Health Institute were
 4. In June, two very significant waves of attacks were executed against
    Lithuania and Norway in response to severe geopolitical developments between
    those countries and Russia:
    * Following the decision of Lithuania’s government to halt the transit of
      Russian goods to Kaliningrad, a wave of major attacks hit Lithuanian
      public services and the private sector. During the attack, Jonas
      Skardinskas, the Head of cybersecurity at the Lithuanian National Cyber
      Security Center (NCSC), warned that the disruptions might continue for
      several days with the transport, energy and financial sectors bearing the
      brunt of the attacks. At some point, the majority of Lithuanian websites
      were not accessible from IP addresses outside of the country, most likely
      as a preemptive measure to mitigate the attack.
    * The same month, several large Norwegian organizations were taken offline.
      This attack was believed to be executed as a result of a dispute over
      transit through Norwegian territory to an Arctic coal-mining settlement
      controlled by Russia.
 5. In July, Killnet focused their efforts on Poland and caused several
    government websites to be unavailable. Most of the attacks were directed
    against government portals, tax authorities and police websites.
 6. August was quite a busy month for Killnet. It started with an attack on
    Latvia. After declaring Russia a “State sponsor of Terrorism”, the Latvian
    Parliament’s website suffered a major DDoS attack. Later in the month,
    Estonia faced its most extensive cyber-attacks since 2007, as a response to
    the removal of Soviet monuments. The effectiveness of those attacks was
    questionable, as it seems that Estonia was well prepared for such scenarios.
    During August, Killnet also started focusing on the United States. The giant
    American manufacturer Lockheed Martin was heavily targeted by Killnet as a
    response to providing military systems to the Ukrainian army. In parallel,
    Killnet also targeted the US Electronic Health Monitoring and Tracking
    System and the US Senate, which was debating sending additional aid to
    Ukraine.



Figure 8 – Announcement about the attack against Lockheed Martin

 7. In September, the group targeted Asia for the first time and focused its
    efforts on Japan, due to Japan’s support for Ukraine. With the escalation of
    the Russian–Japanese conflict over the Kuril Islands, Killnet successfully
    attacked multiple top Japanese websites, including the e-government, the
    public transportation websites for Tokyo and Osaka, the JCB payment system,
    and Mixi, Japan’s second largest social media site.



LEADERSHIP, RECRUITMENT & TOOLS


ORGANIZATIONAL STRUCTURE

The major hacktivist groups that arose during the past year are characterized by
their well-structured operations which allow them to not only achieve targeted
attacks in waves but also attract more skilled individuals. These individuals
are usually motivated by a clear state-affiliated ideology, and their goals are
incorporated into a manifesto and/ or set of rules to follow. For example,
Killnet has more than 89,000 subscribers on their Telegram channel and is
organized in a military-like structure with a clear top-down hierarchy. Killnet
consists of multiple specialized squads to perform attacks which answer to the
main commandment. There are currently around a dozen sub-groups, the main one
being Legion. All of these groups are led by an anonymous hacker called
KillMilk, who announced his intention to go solo in July, but is still involved
in the group’s activity. Legion and the squads (known as: “Jacky”, “Mirai”,
“Impulse”, “Sakurajima”, “Rayd”, “Zarya”, “Vera”,  “Phoenix”, “Kajluk”, “Sparta”
and “DDOSGUNG”) are referred to as Killnet’s special forces, with Legion
referred to as its Cyber Intelligence Force.



Figure 9 – Recruitment announcement to the squads of the Legion

Multiple small squads are organized around the largest group and its former
leader, KillMilk, which relays attack orders to each group’s “commander”, which
allows independent infrastructures, inevitably improving the survival of the
entire organization. This proves effective as the squads continue to recruit
members and increase in number. Their Telegram page contains rules, discussions
about targets, and instructions on joining/creating additional squads by members
who seek autonomy or “promotion.”





Figure 10 – Rules of the Legion

Killnet’s evolution has put them in a position where other groups want to
collaborate with them or officially join forces.


RECRUITMENT

Another interesting and new phenomenon concerns the groups’ recruitment methods.
Unlike Anonymous, who takes pride in welcoming everyone, with no requirement of
proof of skills or specific agenda, the new era hacktivists only accept members
who meet certain minimum requirements.



Figure 11 – Required professionals to Killnet

Many groups, such as Killnet and its squads, choose to invest in “proper”
recruitment programs advertised on their Telegram channels. Some groups have a
pre-selection process to bring only skilled hackers or experts in a particular
field, to reduce the risk of making mistakes that could expose the whole
operation.



Figure 12 – Recruitment form to the squads of the Legion

However, recently we observed KillNet relaying DDoS attacks instructions to the
masses, perhaps due to a lack of manpower to carry out all its intended actions.



Figure 13 – DDoS attacks instructions by Killnet

On several occasions, we also saw KillNet offering rewards for individuals
performing real-world, not virtual, vandalism in Ukraine.



Figure 14 – KillNet offering a reward for anyone willing to physically sabotage
monuments on their behalf in Ukraine

The recruitment process is similar for many Russian state-mobilized groups. For
example, XakNet (who also refer to themselves as the “Team of Russian Patriots”)
is a Russian-speaking group that has been active as early as March 2022. XakNet
threatened to retaliate against Ukrainian organizations for any cyber-attacks
carried out against Russia and has targeted several entities within Ukraine and
leaked the contents of a Ukrainian government official’s email. XakNet declared
they will not recruit hackers, pentesters, or OSINT specialists without proven
experience and skills.



Figure 15 – XakNet talent acquisition announcement

Other groups, like the pro-Russian NoName057(16), may offer training through
different means such as e-learning platforms, tutorials, courses or mentoring.


TOOLS & TECHNOLOGICAL PROWESS

Hacktivist groups strive to utilize more advanced tools in their attacks, as the
more damaging the attacks, the more exposure and notoriety for the group. We
have seen flashes of advanced tactics globally, but with the immediate and
repetitive nature of hacktivism campaigns, most of the activity was focused
around DDoS attacks through the use of huge botnets:



Figure 16 – Killnet’s claim about the size of their botnet

According to Avast, NoName057(16) uses a RAT known as Bobik, which has been
around since 2020 together with Redline stealer. Recent reports state that
devices infected with Bobik are part of a botnet carrying out DDoS attacks on
behalf of NoName057(16).

In some cases, we see the group allegedly uses much more sophisticated
destructive tools. For example, TeamOneFist is linked to destructive activities
against Russian SCADA systems, and the Belarusian Cyber Partisans breached the
computer systems of Belarusian Railways, right before the conflict started. In
August, From Russia with Love (FRwL), claimed to have written their own
Locker-like ransomware called “Somnia”.



Figure 17 – From Russia with Love claim about launch of ransomware


CONCLUSION 

Conflicts in Eastern Europe and the Middle East in the last few years affected
the lives of many and escalated situations in broad domains across the world.
One of the most significant escalation can be observed in the cyberspace
ecosystems. During the previous decade, hacktivism was mostly a buzz word, which
did not pose significant risks to global organizations. Having become more
organized, structured, and sophisticated, hacktivism has ushered in a
renaissance era. More concerning now is, many hacktivist groups have a very
clear state-affiliated agenda and serve the special interests of specific
governments. Even though this all began in specific conflict areas, we already
see its proliferation to the west and beyond. We further expect hacktivist
operators to enhance their arsenal and unleash state-level destructive attacks.
Another growing worry is the fact that more and more governments are inspired by
the success of new state-mobilized hacktivist groups, which may signify this
phenomenon is here to evolve into a long-term activity.


RELATED ARTICLES


BUMBLEBEE: INCREASING ITS CAPACITY AND EVOLVING ITS TTPS


RESEARCHING XIAOMI’S TEE TO GET TO CHINESE MONEY


NEW MALWARE CAPABLE OF CONTROLLING SOCIAL MEDIA ACCOUNTS INFECTS 5,000+ MACHINES
AND IS ACTIVELY BEING DISTRIBUTED VIA GAMING APPLICATIONS ON MICROSOFT’S
OFFICIAL STORE


NEW WORMABLE ANDROID MALWARE SPREADS BY CREATING AUTO-REPLIES TO MESSAGES IN
WHATSAPP


VULNERABILITY IN GOOGLE PLAY CORE LIBRARY REMAINS UNPATCHED IN GOOGLE PLAY
APPLICATIONS


GRAPHOLOGY OF AN EXPLOIT – HUNTING FOR EXPLOITS BY LOOKING FOR THE AUTHOR’S
FINGERPRINTS


KEEPING THE GATE LOCKED ON YOUR IOT DEVICES: VULNERABILITIES FOUND ON AMAZON’S
ALEXA


NEW JOKER VARIANT HITS GOOGLE PLAY WITH AN OLD TRICK


WOULD YOU LIKE SOME RCE WITH YOUR GUACAMOLE?


“THE TURKISH RAT” EVOLVED ADWIND IN A MASSIVE ONGOING PHISHING CAMPAIGN


REMOTE CLOUD EXECUTION – CRITICAL VULNERABILITIES IN AZURE CLOUD INFRASTRUCTURE
(PART I)


CANADIAN BANKS TARGETED IN A MASSIVE PHISHING CAMPAIGN


3RD OCTOBER – THREAT INTELLIGENCE REPORT


7 YEARS OF SCARLET MIMIC’S MOBILE SURVEILLANCE CAMPAIGN TARGETING UYGHURS


NATIVE FUNCTION AND ASSEMBLY CODE INVOCATION


19TH SEPTEMBER – THREAT INTELLIGENCE REPORT

Publications
 * GLOBAL CYBER ATTACK REPORTS
 * RESEARCH PUBLICATIONS
 * IPS ADVISORIES
 * CHECK POINT BLOG
 * DEMOS

Tools
 * SANDBLAST FILE ANALYSIS
 * URL CATEGORIZATION
 * INSTANT SECURITY ASSESSMENT
 * LIVE THREAT MAP

About Us
Contact Us
Subscribe

© 1994-2022 Check Point Software Technologies LTD. All rights reserved.
Property of CheckPoint.com | Privacy Policy

×
Tweet
Share
Share
Share
Email
Pin
Share
Share


We'd like to show you notifications for the latest news and updates.


AllowCancel