Hactivism 101

Hacktivism is the use of cyber attacks and sabotage to communicate politically motivated causes; it is as old as the internet. Sole hacktivists have always acted in an individual manner to demonstrate their protest using various attack methods. One popular attack has been, and continues to be, the defacement of websites- Microsoft’s website, for example, was displaced with a Saudi Arabian flag.

Something else happens when hacktivists group together; they commonly perform what’s called a Distributed Denial of Service (DDoS) attack. With the increased number of participants they are able to flood the targeted website with traffic so that the server becomes overloaded. As the site attempts to process the large volume of malicious traffic it denies access from legitimate users and often crashes altogether.

The attacks have become automated, thus making them more powerful and harder to track, and have advanced in their techniques, however, the effect remains the same. Let us take a look at the recent Operation Payback which gained notoriety in the past few months.

Operation Payback is a series of DoS attacks carried out by hacktivists. Their initial goal was to bring down anti-piracy sites, such as the recording and media companies who attempted to act against illegal file sharers.

They even attacked law firms who threatened to bring the illegal downloaders to court. In the latest chain of activities they have also started targeting organizations that have spoken against Wikileak’s activities or any other form of “Internet censorhip”. MasterCard, for example, was attacked by the hacktivist group ‘Anonymous’ when they refused to process donations to the whistle-blowing site.

How does this group of hacktivists operate?

Hackers, in short order, build attack software designed to take down websites and services. This software is then made easily available for download by other hactivists. Once installed on a user’s machine it sits idly waiting for the attack command, and when the time is ripe for the attack a “wake up” call is issued to the malware on the hacktivist’s machine.

At that stage the machine will start spurting out the malicious traffic to the specific site. Using the power of the community, i.e. all involved hacktivists, the target is inundated with voluminous traffic which causes the servers to crash.

When looking at this specific group, we can see that social factors have a part to play. As the activities of Operation Payback received more media attention, the number of hacktivists joining the specific hacktivist network increased.

Modern hacking, in general, is motivated by data theft. Stolen credentials, credit card numbers and so forth are highly valued on the black market. Data is the currency of cyber crime so staying invisible is essential.

In contrast to other forms of cybercrime hacktivism is not motivated by money and actively seeks to gain as much attention as possible; high visibility is the key. Hacktivists are motivated by revenge, politics, ideology, protest and a desire to humiliate their victims- what would be the point of embarrassing someone if they didn’t know who performed the attack?

Another attention-grabbing DDoS attack was executed in June 2009 by hacktivists protesting against the Iranian elections. In this attack hacktivists operated from outside of Iran and targeted government and other state-sponsored websites. As a result, the Iranian government blocked access to different social network sites to prevent netizens from providing coverage regarding the current state of affairs on the street.

The current chain of events show that the industrialization of hacking (i.e. hacking-for-profit), as witnessed in the past couple of years, will continue to increase. Although there are threats originating from state-sponsored attacks, for example, North Korea DDoSing South Korea and US sites, there still remains another group of attackers.

These individuals remain in the background of the threat landscape as the aforementioned threats take the front seat. But every once in a while, they raise their head to protest in unison, carrying out their acts through the Internet channels. With the right power and means they may create much havoc and attention.

Noa Bar-Yosef is a senior security researcher with the Imperva Application Defense Center. She conducts research on database and Web application vulnerabilities. Previously, she has held TA positions in courses on programming and network security at Tel Aviv University and Open University. She has also been a software engineer with educational software vendor Sunburst Technology. Noa holds a Masters of Science degree (specialising in information security) from Tel-Aviv University, School of Computer Science and a Bachelors of Science degree from The Hebrew University, School of Computer Science. During her work in Imperva Noa has discovered multiple vulnerabilities in various commercial application and worked with software vendors on their resolutions. Noa also presented at a number of conferences including Infosec Canada (2008), SECRYPT 2007 (Spain).