During its brutal war in Ukraine, Russian troops have burnt cities to the ground, raped and tortured civilians, and committed scores of potential war crimes. On November 23, lawmakers across Europe overwhelmingly labeled Russia a “state sponsor” of terrorism and called for ties with the country to be reduced further. The response to the declaration was instant. The European Parliament’s website was knocked offline by a DDoS attack.
The unsophisticated attack—which involves flooding a website with traffic to make it inaccessible—disrupted the Parliament’s website offline for several hours. Pro-Russian hacktivist group Killnet claimed responsibility for the attack. The hacktivist group has targeted hundreds of organizations around the world this year, having some limited small-scale successes knocking websites offline for short periods of time. It’s been one player in a bigger hacktivism surge.
Following years of sporadic hacktivist activity, 2022 has seen the re-emergence of hacktivism on a large scale. Russia’s full-scale invasion of Ukraine spawned scores of hacktivist groups on both sides of the conflict, while in Iran and Israel, so-called hacktivist groups are launching increasingly destructive attacks. This new wave of hacktivism, which varies between groups and countries, comes with new tactics and approaches and, increasingly, is blurring lines between hacktivism and government-sponsored attacks.
“I’m not going to say that hacktivism was dying, but it was definitely withering for some time,” says Juan Andres Guerrero-Saade, principal threat researcher at security firm SentinelOne. For the past four or five years, Guerrero-Saade explains, hacktivism has often existed at extremes: low-level disruptions and more sophisticated attacks that could be cover for a nation-state’s hacking. “You have so many more players in the space and a much beefier middle ground between those two extremes,” Guerrero-Saade says of the current situation.
Russia’s invasion of Ukraine in February prompted a surge in hacktivism activity. Legacy hacktivist collective Anonymous was revitalized, but new groups were also formed. Ukraine’s unprecedented IT Army, a volunteer group of hackers from around the world, has continuously launched DDoS attacks against Russian targets that are outlined in its Telegram group. In June, a speech by Vladimir Putin was delayed after a cyberattack. Other hacktivist-linked groups have run huge hack-and-leak operations against Russian entities, resulting in hundreds of gigabytes of data from Russia being published online.
On the other side of the conflict, there are four main pro-Russian hacktivist groups, says Sergey Shykevich, threat intelligence group manager at security firm Check Point. These are: Killnet, NoName 057, From Russia With Love, and XakNet. Killnet is probably the most active of these groups, Shykevich says. “Since April, they have targeted around 650 targets—only about 5 percent of them were Ukraine.” Its targets, like the European Parliament, have largely been countries that oppose Russia. The group, which mostly uses DDoS attacks, is proactive on Telegram, media friendly, and appeals to Russian speakers.
DDoS attacks still have an outsize place within modern hacktivism. An FBI notification, issued in early November, says those behind DDoS attacks have “minimal operational impact” on their victims. “Hacktivists often select targets perceived to have a greater perceived impact rather than an actual disruption of operations,” the FBI said. In other words: The bark is often worse than the bite.
Erica Lonergan, a research scholar at the Saltzman Institute of War and Peace Studies at Columbia University, says the impact of DDoS attacks is often overstated. Media reports can overemphasize the impact of DDoS, making it sound more severe than it is. “There’s this gap between the hyperbole of the language that’s used to talk about the types of attacks that these groups like Killnet are engaged in, and then the reality of their impact,” Lonergan says.
But it isn’t all DDoS. In South America, the Guacamaya hacktivist group claims to have hacked mining companies and leaked their internal emails. The politically motivated Belarusian Cyber Partisans, which formed in 2020 following Alexander Lukashenko’s election, has innovated as it disrupts Russian and Belarusian efforts linked to the war. The highly organized group became the first to use ransomware for purely political objectives. It has also claimed to have taken data from Russian government organizations and mapped the data of government officials who have backed Lukashenko’s regime.
Guerrero-Saade says the Cyber Partisans are part of a new style of hacktivists that use targeted sabotage and disruption. “To us, it looked very much like they’re an authentic group. They’re coordinating locally and trying out new ways to actually slow down or disrupt or inconvenience the local government away from supporting the war,” Guerrero-Saade says.
In Iran, the Predatory Sparrow group of hackers—which claims to be hacktivists—used a cyberattack to start a fire in a steel factory in July. The move was an incredibly rare use of a cyberattack to cause physical damage. In 2021, the Adalat Ali hacktivist group hacked and leaked CCTV footage from the notorious Evin political prison. The incidents were part of a larger series of cyberattacks between Iran and Israel. They show the potential extremes of hacktivism.
Check Point’s Shykevich says much of the hacktivism seen in 2022 can be classified as “state-affiliated” hacking. “In most cases, it’s difficult to tell if this group is guided or sponsored by a specific state organization,” Shykevich says. “But most of those groups, they have very clear pro or anti-regime narrative.”
Working out who is behind a cyberattack of any kind is always complex and difficult for organizations to do—attackers often try to disguise their activity or hide it from view. However, there is evidence some hacktivists are linked to individual countries. Researchers suspect Predatory Sparrow is linked to a government, for instance. Meanwhile, security firm Mandiant believes that the pro-Russian groups XakNet, Infoccentr, and Cyber Army of Russia all coordinate their operations with Russia’s GRU military hackers. The Cyber Army of Russia launched DDoS attacks against US organizations around the November midterm elections, with XakNet and KillNet also trying to influence the elections, Mandiant claims.
“They can be used in witting and unwitting ways by governments for political purposes,” Lonergan says. “Killnet for example, on the Russian side, has been pretty explicit in its Telegram channels of disavowing direct links with Moscow. But at the same time, they follow the implicit rules of the road of Russian cyber proxy groups.” Russian cybercrime groups rarely attack Russian targets, and the Kremlin has largely turned a blind eye to them.
The result is that while hacktivist groups are becoming more sophisticated and testing new tools, there’s increasing uncertainty about their origins. “There will be more hacktivism groups that will be more affiliated with governments,” Shykevich says. “Generally, this year the lines between what is governmental attack, hacktivism, and cybercrime have completely blurred.”
