Op-Ed: Hacktivism — different agendas, same damage

While these attacks aim to cause disruption to wider political and social agendas, organisations, especially those operating in critical infrastructure, are often the direct victims.

Hacktivist groups that took the stage in 2022

Much like activists, politically and socially aligned cyber criminals are coming together to spread their message, cause disruption, and make an impact on global issues. Over the past 12 months, the war in Ukraine has been repeatedly impacted by hacktivists, and governments are increasingly aware of the potential impact these groups can have.

In 2022, a range of hacktivist groups came into the public light:

• Team OneFist: Founded in March 2022, Team OneFirst is a group of international hackers. The hacktivist group are pro-Ukrainian and aligned with many other hacktivist groups to target Russia. Team OneFist targeted a range of Russian infrastructure, such as telecommunications, utilities, and manufacturing organisations. Their goal was to deny Russia access to services and cause disruption. Other groups that protested against Russia include AnonGh0st, who hacked Russian devices, including street lighting systems and satellite systems, disrupting navigation for Russia, and also Network Battalion 65 (NB65), which hacked IP cameras and open SCADA systems.
• Gonjeshke Darande: Also known as Indra or Predatory Sparrow, this hacktivist group attacked three Iranian steel plants associated with the Iranian Revolutionary Guard Corps (IRGC). The group released a video that captured a fire breaking out as a result of their attack. In 2021, the group was also linked to an attack on Iranian railways that caused massive delays, and another attack on the Ministry of Roads and Urban Development, which led to the national fuel payment system going offline.
• GhostSec: Active since 2015, this hacktivist group features members from several countries and doesn’t have a single political agenda. The group has attacked unmanaged devices in industries, including retail, telecom, hotels, and utilities across the world, with Israel, Russia, Iran, and Nicaragua all falling victim. Closely affiliated hacktivist group SiegedSec attacked Rockwell PLCs after the US overturned the federal right to have an abortion.
• Anonymous: One of the oldest and most well-known hacktivist groups, Anonymous too targeted Russia following the war, attacking Russian IoT equipment such as printers and IP cameras, some of which live-streamed Russian military personnel.

Organisations caught in the crossfire

In most cases, hacktivist attacks are largely opportunistic, focusing on a country or industry rather than a particular organisation. However, many organisations that operate within the targeted country or sector can be caught in the crossfire of these attacks. Once the initial target scope is defined, some groups will focus on large-scale attacks by finding similar device models in several organisations and attacking them simultaneously.

Critical infrastructures often fall victim to these threats as they largely operate with OT devices and equipment. Industries such as utilities and manufacturing become expected targets; however, due to the widespread use of IoT and OT equipment, such as UPS, VoIP, and building automation controllers, industries such as telecommunications and retail also fall victim. It is important to note that hacktivists aim to cause disruption for governments and countries, so sectors and organisations that have the greatest impact on the wider public will become prime targets. Forescout found that nearly two-thirds (65 per cent) of all hacktivist attacks have occurred on telecommunication (34 per cent), utilities (23 per cent), and manufacturing (8 per cent) organisations. Of all successful attacks, the most common end goal for hacktivists was manipulation and control of the network (79 per cent), with the second aim being to destruct data (9 per cent).

Although organisations may not have specifically provoked hacktivist groups themselves, this does not mean they shouldn’t prepare for becoming a target of these attacks. Moving forward, organisations — especially critical infrastructure — should ensure their unmanaged devices, such as IoT and OT equipment, are appropriately protected.

VIEW ALL

Protecting against the cyber protests

As hacktivism continues to grow, cyber hygiene practices such as hardening, network segmentation, and monitoring must be extended to encompass every device in an organisation, not only traditional, IT and managed devices.

Organisations need to:

• Harden connected devices: Organisations need to identify every device connected to the network and its compliance state, such as known vulnerabilities, used credentials and open ports. Default or easily guessable credentials should be upgraded to strong, unique passwords for each device, and unused services should be disabled. Vulnerabilities should be patched immediately.
• Segmentation: Organisations need to ensure unmanaged devices are not exposed directly on the internet, with very few exceptions, such as routers and firewalls. Companies can look to segment their network to isolate IT, IoT, and OT devices. This will limit network connections to specifically allow management and engineering workstations or unmanaged devices that need to communicate.
• Monitoring: Organisations can implement IoT/OT-aware, DPI-capable monitoring solutions that alert on malicious indicators and behaviours. Solutions can watch internal systems and communications for known hostile actions such as vulnerability exploitation, password guessing, and unauthorised use of OT protocols. Furthermore, monitoring large data transfers will help to prevent or mitigate data exfiltration. Finally, organisations should consider monitoring the activity of hacktivist groups on Telegram, Twitter, and other sources where attacks are planned and coordinated.

Hacktivist attacks will not slow down, as cyber evolution and political agendas will never fade. As critical infrastructure remains a primary target, organisations with IoT and OT infrastructure should review their cyber hygiene and, furthermore, how to protect all devices across their landscape.

By doing this, organisations can mitigate their odds of falling victim to hacktivist disruption.

Hamish Armati is the director of technical services (APJ) at Forescout Technologies.