Recorded Future observes 'concerning' hacktivism shift
At RSA Conference 2024, Recorded Future detailed alarming trends as nation-state attackers operate under the guise of hacktivism to cover real threats to organizations.
SAN FRANCISCO -- Nation-state threat actors are increasingly masquerading as hacktivist groups to fuel misinformation campaigns and other threats, presenting challenges for security teams to determine which types of activity pose a legitimate risk to the organization.
During an RSA Conference 2024 session Monday, Alexander Leslie, associate threat intelligence analyst at Recorded Future, discussed the progression of hacktivism in recent years, as well as evolving motivations, expanding targets and which groups pose the most significant risk to enterprises. Leslie's research highlighted hacktivism campaigns Recorded Future observed during the Russia-Ukraine and Israel-Palestine wars.
Prior to the session, Leslie spoke with TechTarget Editorial and stressed that Russia's invasion of Ukraine in 2022 marked a turning point that reshaped the hacktivism threat. Now, the trends the threat intelligence vendor tracked for a decade are quickly changing, raising concerns for enterprise security teams.
Organizations already struggle to maintain effective security postures due to an influx of vulnerabilities, rapidly adapting threat actors and a lack of resources. Current hacktivism trends not only contribute to the challenges but also make threat prioritization more difficult.
"We determined that many claims made by cybercriminals and hacktivist groups related to Israel and Ukraine constitute misinformation or disinformation," Leslie said. "It's intended to create a fog of war theme -- the purpose is to mask actual threats to your organizations, whether it be ransomware, espionage, payment card fraud or identity theft."
Leslie's presentation focused on Ukraine because that's where Recorded Future first observed the threat skyrocket. On Feb. 24, 2022, when Russia initially invaded Ukraine, Recorded Future saw the biggest spike in hacktivism activity in its threat intelligence platform since its collection began. Leslie said researchers identified 25,000 to 30,000 references per month in hacktivist claims related to pro-Ukraine or pro-Russia stances on the messaging service Telegram and social media platforms.
After 10 years of tracking hacktivist activity, Recorded Future began observing a shift in motivations and behaviors.
"What we consider hacktivism in 2024 is more nuanced and nefarious. The lines between what we consider to be financially, and politically motivated cybercrime are continuing to blur," Leslie said. "What is the motivation? Are they ego-driven, or are they understanding now that cybercrime is actually profitable? Recorded Future is concerned."
Leslie stressed that now hacktivist groups are standing up dark web marketplaces and engaging in ransomware-as-a-service operations. Additionally, Recorded Future observed the threat actors advertise initial access to victim organizations and sell databases on dark web forums. The activity signifies financially motivated threat actors with no political agendas, which doesn't align with past hacktivist behavior.
Recorded Future said the pro-Ukraine group Network Battalion 65 is one of the few hacktivist groups that makes credible claims regarding its attacks and doesn't overstate its accomplishments.
Ulterior motives
Global scale is another notable aspect of the hacktivism evolution, Leslie emphasized. Over the last 20 years, targets have been mostly U.S.-centric. Now, targets are expanding as evidenced by the war in Ukraine, which has seen support campaigns for both sides. "Internationalism of hacktivism is something we've never observed before," Leslie said.
To navigate the evolving hacktivist threat that fuels disinformation, Leslie said it's important for enterprises "to understand that volume of attacks claimed by a group does not equate to impact." He emphasized that successful, disruptive attacks require time, resources, personnel and skills that most hacktivist groups are not capable of achieving.
For example, the Iranian nation-state threat group tracked as Cyberav3ngers claimed to be a pro-Palestine hacktivist group, but Leslie said its activity demonstrated otherwise. Last year, CISA published an advisory that Cyberav3ngers was targeting U.S. water and wastewater system facilities. Leslie said this was one example where Iranian intelligence services leveraged hacktivist groups for the sake of plausible deniability.
"You never see hacktivist groups targeting critical infrastructure, much less something as critical as water," he said.
Another example involved a threat actor Recorded Future tracks as FreeCivilian, which claimed to be a hacktivist group to deflect accusations of Russian state-sponsored attacks. When Russia initially invaded Ukraine, Recorded Future observed FreeCivilian drop several database breaches related to Ukrainian government entities.
Leslie said Ukraine-based organizations and western cybersecurity providers have since attributed the activity to a threat actor CrowdStrike tracks as Ember Bear, which is associated with Russia's GRU military intelligence agency.
"The GRU was effectively masquerading as a cybercriminal hacktivist group on RaidForums to provide the Kremlin with plausible deniability," he said.
Another example of a hacktivist persona is the Russian advanced persistent threat group Sandworm, or what Mandiant upgraded to APT44 earlier this month. Leslie said like other groups, its purpose is to spread plausible deniability for the GRU.
One hacktivist group that Recorded Future considers to be of high credibility is called Network Battalion 65. While the pro-Ukraine group has conducted fewer than five attacks in two years, Network Battalion was highly effective. Threat actors deployed ransomware and leveraged leaked Conti ransomware code.
If you ever identify an unusual tempo or volume by a hacktivist group with no prior activity, this often signals disinformation or ulterior motives.
Alexander LeslieAssociate threat intelligence analyst, Recorded Future
Unlike many other hacktivist groups such as KillNet, which Leslie described as an "ego-driven" group focused on gaining attention, Recorded Future considers Network Battalion claims to be creditable. Leslie provided Network Battalion's attack against the All Russia State Television and Broadcasting Company in 2022 as an example of one disruptive attack.
"If you ever identify an unusual tempo or volume by a hacktivist group with no prior activity, this often signals disinformation or ulterior motives," he said. "Hacktivist groups hardly know when to stop. Contained campaigns with defined start and end times are a red flag."
Leslie's presentation emphasized that an overwhelming number of claims made by hacktivists are fake. False claims allow threat actors to weaponize misinformation and capitalize on the fallout.
He urged enterprises to be "patient and discerning" regarding cybersecurity threats in the context of hacktivism. Due to false claims and other factors, attribution is often difficult. Leslie stressed that misattribution could lead to misguided responses, and enterprises may spend time and resources addressing threats that don't even affect them.
Unlike other threats such as ransomware, the most active hacktivist groups don't equate to the most dangerous. Leslie said KillNet is the most active group on social media and has claimed responsibility for hundreds of attacks from 2022 through 2024. However, the attacks resulted in minor impact to organizations.
"It's irresponsible for an organization to set intelligence requirements based solely on cyber threat activity," he said.
Instead, Leslie said it's important to sift through the misinformation to identify legitimate threats to the organization. He urged enterprises to avoid making hasty decisions and to always verify hacktivist claims. If claims involve anything related to critical infrastructure, organizations should consider that a red flag.
Leslie also warned the threat may grow as the Russian-Ukraine war and Israel-Palestine conflict continue to unfold.
"Unverified hacktivist chatter is not good for organizations making decisions about security postures because hacktivist chatter is by default mostly disinformation," he said. "Recorded Future assesses that misinformation will continue to pose a threat to analysts, journalists and observers."
Arielle Waldman is a news writer for TechTarget Editorial covering enterprise security.
