By Manish Gohil, Senior Associate, Dragonfly
The war in Ukraine has seen the emergence of highly-disruptive cyber criminals, motivated less by money than ideology. These ‘hacktivists’ are actively targeting businesses to further their interests – those backing Moscow have been posing a threat to Western states as well as the operations and reputation of organisations. Corporate exposure to pro-Russia hacktivism is substantial. Yet it does not appear to be a priority concern for businesses, leaving them exposed to attacks in what is a rapidly evolving threat landscape.
Hacktivist groups, both current and past, have sought to cause nuisance and disruption to both governments and corporations, in line with their ideological goals. For example, we have seen this last year with high-profile data breaches by an environmental hacker collective called ‘Guacamaya’, impacting national governments and militaries in Mexico and other parts of Latin America. Their tactics are not particularly sophisticated (typically involving website defacements and Distributed Denial of Service or DDoS attacks – that is the flooding of target networks with an overwhelming amount of traffic). The operations are often timed to result in maximum disruption.
However, many corporate cyber teams do not appear to be looking at these threat groups as seriously as they should, putting their companies on the back foot, across a range of geographies. I argue that this stems from a limited understanding of the geopolitical and security landscape and the developments spawning these groups, as well as a weak grasp of how, when and why they operate, and who they are intent on pursuing.
Real-world events – politics, war, sanctions – arguably exert the biggest influence over the tactics and techniques employed by hacktivists. The Ukraine war is a case in point. It has led to the creation of new – and the re-emergence of dormant – hacker groups. Each side in the conflict is now able to draw on cyber actors willing to fight for their respective cause.
Ukraine’s volunteer ‘cyber army’ has impacted key Russian sectors, while pro-Russia groups have launched widespread DDoS attack campaigns against European states over their support for Ukraine. The latter have hit sectors such as banking, finance, energy and transport. And, recently, they have upped the ante by explicitly threatening to carry out what they describe as destructive hacks against Western financial entities, in an attempt to paralyse global payment systems.
While most pro-Russia hacktivist groups stalking corporations do not appear to be capable of inflicting significant damage or major financial loss, they nonetheless present a persistent disruptive threat. The groups’ goals are to exert pressure and embarrassment, often making demands aimed at drawing businesses deeper into their line of fire. It has forced more and more decision-makers to adopt a defensive posture, for instance through enhanced DDoS protections. Such is the danger they pose that the UK National Cyber Security Centre this year warned that these state-aligned groups intended to launch “destructive and disruptive attacks”.
As a way of boosting their profile, hacktivists have also turned to brazen, coercive tactics and threats to pressure their victims. This summer, the hacktivist group ‘Anonymous Sudan’, which supports Russia, claimed responsibility for DDoS attacks against a major European airline and Microsoft365 services. And the prolific pro-Russian ‘Killnet’ collective has escalated its threats, warning of physical attacks (such as the burning of offices and the singling out of employees) of a target organisation. While such threats are probably overblown, they are effective because of the psychological pressure they can place on companies and their staff.
States’ leveraging of hacktivists complicates the threat to businesses. There has been growing evidence of collusion between the Russian state and pro-Russia groups since the Ukraine war broke out in February 2022. The cybersecurity firm Mandiant said earlier this year that it had identified three “so-called hacktivist groups” that appeared to be working with – or operating as a front for – the Russian intelligence agencies. An unverified, leaked US intelligence report this year revealed coordination between a pro-Russia hacktivist group and the Russian FSB domestic security service in an operation that could potentially have damaged a Canadian gas facility.
Many corporations do not have a sense of the hacktivist threat they face until they have been targeted. However, with a greater understanding of the geopolitical landscape, cybersecurity teams would be better equipped to identify and track developments or indicators that might place their organisation in hacktivist crosshairs. A whole series of events during the Ukraine war have sparked a near-immediate response by pro-Russia hacktivists. These have included DDoS attack campaigns on specific countries, sectors and firms.
The most likely triggers for pro-Russia campaigns include the following developments: new sanctions packages against Russia; disputes over trade or transit of Russian goods; announcements of significant military assistance to Ukraine; European countries’ expulsion of the Russian diplomats; the removal of Soviet monuments, particularly in eastern European countries; and approaching national elections in North America and Europe. Regarding the latter, pro-Russia hacktivists will almost certainly see the upcoming Polish elections on 15 October as a prime opportunity to strike at entities and companies there.
All the evidence suggests that the hacktivist menace is not going to go away anytime soon. Organisations not only need to become alert to the dangers but must also try to anticipate them. In so doing, they can then begin to mitigate their impact. The fast-moving and dynamic way in which these new cyber threats evolve means cyber professionals require an edge. Geopolitical intelligence has a critical role to play here. Having the capacity to forecast real-world risks – such as revolution, insurrection, and war – and simultaneously identify ensuing cyber threats will increasingly become critical to the protection of organisations.
About the Author
Manish Gohil is a Senior Associate covering cyber risks at Dragonfly, a geopolitical and security risk consultancy firm based in London. He has several years of experience in helping organisations anticipate geopolitical risks globally, including topics on how real-world events impact the cyber threat landscape. Manish previously led coverage on the South Asia region on political and security issues, and is a Certified Security Management Professional. manish.gohil@Dragonflyintelligence.com, https://www.dragonflyintelligence.com/