SAN FRANCISCO – Nation-state threat actors are increasingly masquerading as hacktivist groups to fuel disinformation campaigns and other threats, presenting challenges for security teams to determine what types of activities pose a legitimate risk to the organization.
During an RSA Conference 2024 session on Monday, Alexander Leslie, associate threat intelligence analyst at Recorded Future, discussed the progress of hacktivism in recent years, as well as evolving motivations, expanding targets and which groups pose the greatest risk to enterprises. Leslie’s research highlighted hacktivism campaigns, Recorded Future, observed during the Russia-Ukraine and Israel-Palestine wars.
Speaking to TechTarget Editorial before the session, Leslie emphasized that Russia’s invasion of Ukraine in 2022 was a turning point that reshaped the threat of hacktivism. Now, the trends the threat intelligence provider has tracked for a decade are rapidly changing, causing concern for enterprise security teams.
Organizations are already struggling to maintain effective security postures due to an influx of vulnerabilities, rapid adaptation of threat actors and a lack of resources. Current hacktivism trends not only add to the challenges, but also make threat prioritization more difficult.
“We have determined that many claims made by cybercriminals and hacktivist groups related to Israel and Ukraine are misinformation or disinformation,” Leslie said. “It’s meant to create a fog of war theme – the goal is to mask real threats to your organizations, whether it’s ransomware, espionage, payment card fraud or identity theft.”
Leslie’s presentation focused on Ukraine, as this is where Recorded Future first observed the threat rising. On February 24, 2022, when Russia initially invaded Ukraine, Recorded Future saw the largest spike in hacktivism activity in its threat intelligence platform since its collection began. Leslie said researchers identified 25,000 to 30,000 references a month in hacktivist claims related to pro-Ukraine or pro-Russia positions on the messaging service Telegram and social media platforms.
After 10 years of tracking hacktivist activity, Recorded Future began to observe a shift in motivations and behavior.
“What we consider hacktivism in 2024 is more nuanced and nefarious. The lines between what we consider financial and politically motivated cybercrime continue to blur,” said Leslie. “What is the motivation? Are they ego-driven, or do they now understand that cybercrime is actually profitable? Recorded Future is concerned.”
Leslie emphasized that hacktivist groups are now taking up dark web marketplaces and engaging in ransomware-as-a-service operations. In addition, Recorded Future observed that the threat actors advertise initial access to victim organizations and sell databases on dark web forums. The activity indicates financially motivated threat actors with no political agendas, which is inconsistent with past hacktivist behavior.
Recorded Future said the pro-Ukrainian group Network Battalion 65 is one of the few hacktivist groups that makes credible claims about its attacks and does not overstate its achievements.
Side motives
Global scale is another notable aspect of the evolution of hacktivism, Leslie emphasized. Over the past 20 years, targets have been mostly US-centric. Now targets are expanding, as evidenced by the war in Ukraine, which has seen support campaigns for both sides. “Internationalism of hacktivism is something we’ve never seen before,” Leslie said.
To navigate the evolving hacktivist threat fueled by disinformation, Leslie said it’s important for businesses “to understand that the volume of attacks claimed by a group does not equate to impact.” He emphasized that successful, disruptive attacks require time, resources, personnel and skills that most hacktivist groups are unable to achieve.
For example, the Iranian nation-state threat group tracked as Cyberav3ngers claims to be a pro-Palestinian hacktivist group, but Leslie said its activities have shown otherwise. Last year, CISA published an advisory that Cyberav3ngers are targeting US water and wastewater system facilities. Leslie said this is one example where Iranian intelligence services have used hacktivist groups for the sake of plausible deniability.
“You never see hacktivist groups targeting critical infrastructure, much less something as critical as water,” he said.
Another example was a threat actor Recorded Future tracks as FreeCivilian, which claimed to be a hacktivist group to fend off accusations of Russian state-sponsored attacks. When Russia initially invaded Ukraine, Recorded Future observed that FreeCivilian dropped several database breaches related to Ukrainian government entities.
Leslie said Ukraine-based organizations and Western cybersecurity vendors have since attributed the activity to a threat actor CrowdStrike goes by as Ember Bear, which is associated with Russia’s GRU military intelligence agency.
“The GRU effectively posed as a cybercriminal hacktivist group on RaidForums to provide the Kremlin with credible deniability,” he said.
Another example of a hacktivist persona is the Russian advanced persistent threat group Sandworm, or what Mandiant upgraded to APT44 earlier this month. Leslie said like other groups, its purpose is to spread credible deniability for the GRU.
One hacktivist group that Recorded Future considers to be of high credibility is called Network Battalion 65. While the pro-Ukrainian group has carried out fewer than five attacks in two years, Network Battalion has been extremely effective. Threat actors deployed ransomware and used leaked Conti ransomware code.
If you ever identify an unusual pace or volume by a hacktivist group with no previous activity, it often indicates disinformation or ulterior motives.
Alexander Leslie Associate Threat Intelligence Analyst, Recorded Future
Unlike many other hacktivist groups such as KillNet, which Leslie described as an “ego-driven” group focused on getting attention, Recorded Future Network Battalion sees claims as credible. Leslie provided Network Battalion’s attack against the All Russia State Television and Broadcasting Company in 2022 as an example of one disruptive attack.
“If you ever identify an unusual rate or volume by a hacktivist group with no prior activity, it often indicates disinformation or ulterior motives,” he said. “Hacktivist groups hardly know when to stop. Limited campaigns with defined start and end times are a red flag.”
Leslie’s submission highlighted that an overwhelming number of claims made by hacktivists are false. False allegations allow threat actors to weaponize misinformation and capitalize on the fallout.
He urged businesses to be “patient and discerning” regarding cyber security threats in the context of hacktivism. Due to false claims and other factors, attribution is often difficult. Leslie emphasized that misattribution can lead to wrong responses, and companies can spend time and resources addressing threats that don’t even affect them.
Unlike other threats such as ransomware, the most active hacktivist groups do not equal the most dangerous. Leslie said KillNet was the most active group on social media and claimed responsibility for hundreds of attacks from 2022 to 2024. However, the attacks had little impact on organizations.
“It is irresponsible for an organization to make intelligence requirements based solely on cyber threat activity,” he said.
Rather, Leslie said it’s important to sift through the misinformation to identify legitimate threats to the organization. He urged businesses not to make hasty decisions and to always verify hacktivist claims. If claims involve anything related to critical infrastructure, organizations should consider this a red flag.
Leslie also warned that the threat could grow as the Russia-Ukraine war and Israel-Palestine conflict continue to unfold.
“Unverified hacktivist chatter is not good for organizations making decisions about security postures because hacktivist chatter is mostly disinformation by default,” he said. “Recorded Future assesses that misinformation will continue to pose a threat to analysts, journalists and observers.”
Arielle Waldman is a news writer for TechTarget Editorial covering enterprise security.
Disclaimer for Uncirculars, with a Touch of Personality:
While we love diving into the exciting world of crypto here at Uncirculars, remember that this post, and all our content, is purely for your information and exploration. Think of it as your crypto compass, pointing you in the right direction to do your own research and make informed decisions.
No legal, tax, investment, or financial advice should be inferred from these pixels. We’re not fortune tellers or stockbrokers, just passionate crypto enthusiasts sharing our knowledge.
And just like that rollercoaster ride in your favorite DeFi protocol, past performance isn’t a guarantee of future thrills. The value of crypto assets can be as unpredictable as a moon landing, so buckle up and do your due diligence before taking the plunge.
Ultimately, any crypto adventure you embark on is yours alone. We’re just happy to be your crypto companion, cheering you on from the sidelines (and maybe sharing some snacks along the way). So research, explore, and remember, with a little knowledge and a lot of curiosity, you can navigate the crypto cosmos like a pro!
Armed with a PhD in cryptography and years of research, Dr. Chen dives deep into the technical intricacies of blockchain. Her insightful analyses of white papers and on-chain data provide a unique understanding of the technology's potential and limitations.
