Hacktivism

(TC: 00:00:05) 

Aidan Murphy: Hello, and welcome to the Dark Dive, the podcast that delves into the depths of the dark web and cybersecurity. My name is Aidan Murphy, and I’m your host. And on this month’s episode, we’re going to dive into a topic that I’ve wanted to cover on the podcast for a long time, hacktivists. They are actors that aren’t motivated primarily by financial gain, but...

(TC: 00:00:05) 

Aidan Murphy: Hello, and welcome to the Dark Dive, the podcast that delves into the depths of the dark web and cybersecurity. My name is Aidan Murphy, and I’m your host. And on this month’s episode, we’re going to dive into a topic that I’ve wanted to cover on the podcast for a long time, hacktivists. They are actors that aren’t motivated primarily by financial gain, but instead choose their targets based on geopolitical factors, social issues, religion, race, or other values. We’re going to look at the world of hacktivism, how these actors operate, the tactics they use, and how they promote their attacks. Joining me to discuss this fascinating topic are two threat intelligence experts. Luke Donovan, Head of Threat Intelligence at Searchlight Cyber. Welcome back to the podcast, Luke. 

(TC: 00:00:48) 

Luke Donovan: Thanks for having me, Aidan. 

(TC: 00:00:51) 

Aidan Murphy: And Vlad, Threat Intelligence Analyst at Searchlight. Welcome back, Vlad. 

(TC: 00:00:55) 

Vlad: Thanks for having me again. Thank you. 

(TC: 00:00:58) 

Aidan Murphy: Both of you have been on the podcast more than once, but for any new listeners, I’m going to ask you to quickly reintroduce yourselves. I’ll start with you, Vlad. 

(TC: 00:01:06) 

Vlad: Yes, of course. So, my name is Vlad and I’m a Threat Intelligence Analyst. And I spend a lot of my time researching threat actors and monitoring cybercrime forums, hacktivists, cybercrime on Telegram, ransomware groups, and basically any type of bad guy on the internet. 

(TC: 00:01:25) 

Aidan Murphy: Brilliant. Thanks, Vlad. And, Luke, a little bit of introduction on yourself as well. 

(TC: 00:01:30) 

Luke Donovan: So, as Aidan’s already explained, I’m the Head of Threat Intelligence here at Searchlight Cyber. I began my career in intelligence back in 2005. So, about twenty years ago now where I was a military intelligence operator within the British Army. During this stage, it was around that, sort of, era of global war and terror. So, it saw me operate across many lines of conflicts. Afghanistan, Libya, the Middle East. I then left the army. I worked for an organization similar to Searchlight Cyber, and that was when I first started getting involved in hacktivism or the understanding of hacktivism. I used to provide analyst services to end customers. Whether it was the government or enterprise, and one of their use cases was around hacktivism, identifying those individuals and organizations which may want to target them. Either at that moment in time or in the future. So, it was a case of trying to identify those individuals. Since then, I find myself here, as explained. Yes, Searchlight Cyber as Head of Threat Intelligence, where my remit is around the data collection side of things as a platform. Ensuring we’ve got the right collection coming in and also around the product development side of things. Making sure we’ve got the features which will enable end users to get the best out of our platform. 

(TC: 00:02:41) 

Aidan Murphy: Brilliant. Thanks, Luke. So, I’m going to jump right into it. I think if you asked the average person on the street about hacktivists, they’d probably still think of Anonymous. Maybe the most famous hacktivist collective, right? But my understanding from working with both of you is that hacktivism has changed over the years. Would you agree with that, Luke? 

(TC: 00:02:58) 

Luke Donovan: Yes, absolutely, Aidan. I would definitely agree with that. I think when you look at the history of hacktivism, okay, it started off in, sort of, the mid-1990s. And over time, the threat landscape and the way they have operated has evolved, has changed. I think you mentioned Anonymous there. When Anonymous started off, they were anti-establishment, anti-government. They were far from being state-aligned and supporting those governments and entities associated to where they were established. As they’ve moved on or during that period of time, it was very much about freedom of speech for them, about their information privacy. But now, since 2020 onward with the, sort of, wars in Ukraine, wars in the Middle East, we’re seeing a shift. We’re seeing more geopolitical operations, i.e, hacktivists. So, again, going back to Anonymous as a topic because they are well-known within the field. And, not only within cybersecurity and threat intelligence, but the general public are aware of them. Them, or they, as an organization or as a group, are now more state-aligned. You know, they have got operations at this moment in time running against Russia, running against those who are anti-Ukraine. Whereas way back when they first started off, you wouldn’t have seen that happen. So, you are seeing this shift from anti-establishment groups to being more state-aligned, moving forward. And that goes across the board, not only with Anonymous, but other organizations and threat groups as well. 

(TC: 00:04:29) 

Aidan Murphy: Yes, I think it’s a really fascinating shift. In preparation for this, I read an article by, I’m going to name check them, Diana Selck-Paulsson from Orange Cyberdefense. And she broke up hacktivism into, kind of, three eras. So, a digital utopia era, driven by ideals of building a better internet. Followed by an anti-establishment era. And I guess that’s what you’re talking about with Anonymous, Luke, where it’s very much against entrenched powers. And then followed by the era that we’re in, which, like you say, it’s more geopolitically and state-aligned. Vlad, how do you feel about that, kind of, breakdown? 

(TC: 00:05:09) 

Vlad: Yes. So, first of all, I would like to discuss about the origin of the term. So, the term hacktivism. It was first used by a member of a group known as the Cult of the Dead Cow. This group was known for their notable operations against China and Iraq in the late 90s. And their campaign against Google in the context of complying with Chinese censorship laws in early 2000s. 2006, to be more exact. But, again, going back to what Luke already mentioned, the Anonymous group. Years passed, and hacktivist groups, kind of, evolved. The first notable attack of Anonymous was, I mean, one of the first. There were plenty of attacks out there, but one of the first was against the Church of Scientology in 2008. And besides carrying out, like, distributed denial of service attacks, they also prank called support lines and sent fax messages to waste as much ink as possible. And this shows that, back then, they were trying to be bothersome. They were trying to interrupt the activities of their targets, but they weren’t actually causing that much damage as they’re doing right now with the data extraction and so on. So, it was more of a joke, and it wasn’t a serious matter. But, nowadays, they’ve, kind of, switched from this little, well, kids’ activities to more serious stuff. 

(TC: 00:06:39) 

Aidan Murphy: Yes, again, it’s an interesting transition, isn’t it? So, what you’re describing there, it’s almost, kind of, like protest stunts. Maybe that’s slightly underselling it because I’m sure there were problems caused by Anonymous. But, like you say, the scale of what we’re going to talk about, how hacktivist groups have come to be is really quite different. I guess, like, I think you were correct, Vlad, to take a step back. To, kind of, go back to fundamentals of where the term came from. One way we could look at this is maybe the fundamental tenets of hacktivism. So, I guess, the place I wanted to start was with motivations because, for me, the main differentiation between hacktivists and other types of cyber criminals begins, really, with the changing motivations. Like I said in my introduction, mostly, when we’re talking about cyber criminals, we’re talking about those who are motivated by financial means. So, ransom agreements maybe being the most obvious example. They’re very clearly doing it for, kind of, financial benefit, but hacktivist groups have different motivations. Luke, I guess, would you, kind of, agree with that statement? And is that the way to define them? 

(TC: 00:07:49) 

Luke Donovan: Yes, on the broad terms of things, I would agree. Hacktivism, it’s in the name as well, with the ‘activist’ part of hacktivism. Generally, the individuals within those-, or partaking in hacktivist attacks, are ideologically motivated. So, they want to see a change. Again, going back to Anonymous, you know, it was freedom of speech. They wanted to see that change. So, they are typically ideologically motivated, but that doesn’t mean every single one of these are ideologically motivated. There are some hacktivists or individuals which enable hacktivism, which are financially motivated. They want to provide services where hacktivists can utilize their services. Whether this is denial of service as a service. So, organizations or individuals can go to them. They’ve got their own agenda, their own ideological way of operating, or targets. They might not have that capability to conduct what they want to do. So, they’ll go off and utilize these, sort of, third parties who are there specifically to enable them to conduct their operations. But, generally speaking, they’re ideologically motivated. 

(TC: 00:09:00) 

Aidan Murphy: So, I guess this comes to the, maybe, more complex cyber criminal landscape. So, like you say, there are hacktivists that maybe are primarily motivated by ideology. But, in that mix, they may be utilizing infrastructure or working with people who are financially motivated and are almost, kind of, using hacktivism as a new market. 

(TC: 00:09:22) 

Luke Donovan: Yes, absolutely.

(TC: 00:09:24) 

Vlad: When you’re talking about the motivations, you also have to look at the victimology and the preferred victimology of each group. And when you see that a specific group is targeting these countries and these religions and these political regimes to show their alleged superiority. It, kind of, implies that they’re ideologically motivated. If they start a group on an ideological motivation type of path, they usually keep that path, and they don’t necessarily move over to being financially motivated over time. But, again, we’re going to discuss about this later in one of the examples that I have prepared. 

(TC: 00:10:02) 

Aidan Murphy: Brilliant. No, but you have brought us nicely onto the next topic I had, which, again, so, the defining tenets of hacktivism. Again, in terms of their victimology and their targets. So, what you’re saying there, Vlad, is they’re choosing their targets. Again, so, if they were financially motivated, they’d be choosing companies that have the highest revenues. Or maybe being a little bit more opportunistic and looking at the companies that have, you know, the most vulnerabilities. But hacktivists are working in a slightly different way, and they’re choosing their targets on other criteria. Is that right, Vlad? Is that fair to say? 

(TC: 00:10:37) 

Vlad: Well, their criteria is usually loosely defined. A lot of activist groups, they’re a bit more opportunistic than that. For example, there’s a pro-Russian group out there. They will attack anything they can to get their hands on. Supporting Ukraine, for example, in the war. They don’t necessarily target a specific country or a specific entity. They just-, if they can find a vulnerable website belonging to a country that supports Ukraine, then they will attack it. Most of the time, they don’t target specific government or institutions, for example. They don’t really go for the high-impact entities because, more often than not, they do not have the capabilities, and they’re not that sophisticated to be able to attack sensitive targets. 

(TC: 00:11:25) 

Aidan Murphy: Yes. So, I guess, what you’re saying is they’ve got these broad ideologies and any target who is opposed to their ideology is, effectively, fair game depending on who they can hit. So, like you say, if they’re pro-Russian, that, actually, opens up quite a lot of targets because any country, I guess, who supports Ukraine and any entity within that country that supports Ukraine is, effectively, up for grabs. And I think it is quite an important point in this to say that. I sometimes think people get confused and think that when we talk about hacktivism, hacktivists would only be targeting government entities. But that’s not necessarily the case, is it, Luke? I think that’s a slight misconception. 

(TC: 00:12:05) 

Luke Donovan: Absolutely, Aidan. I completely agree with that. So far in this conversation, we have discussed around, sort of, the geopolitical hacktivists out there supporting a government, supporting a regime, and targeting other regimes or countries. But there are still the enterprise or the company-based hacktivists which are out there, who will target specific organizations. Specific targets, because that organization, because that target, has done something which they disagree with. You know, I remember back in the day, I worked with a travel industry looking at-, so, one of the organizations I worked with, they provided travel excursions exploiting-, or the way the hacktivists saw it, exploiting animals. Exploiting nature in order for this organization to make money. You know, so this hacktivist group targeted them. They gained access to their systems. They wanted to disrupt their operations and make the world understand what they were doing, how they were exploiting nature, how they were exploiting wildlife. So, that’s where hacktivists go down to really specific targets. They’re not looking at a specific or a general area. It’s more specifically targeted. 

(TC: 00:13:30) 

Aidan Murphy: I think it’s a really important point because, I guess, it’s important that organizations understand that just because they’re not a government entity, that doesn’t mean they’re going to be targeted. And, like you say, Luke, that’s a very specific example. And then maybe you could say if you’re an organization operating in a particular space, you have to maybe-, so, for example, if you’re-, just take, as a random example, an oil and gas company. You may have to be aware of hacktivist groups that are motivated by, kind of, green, environmental causes. But, even, I think, more broadly, there is a case of a lot of organizations, I guess, could fall into the crosshairs of hacktivists that are motivated by geopolitical means. Sorry, Vlad, did you want to come in on what Luke was saying? 

(TC: 00:14:12) 

Vlad: Another example of a trigger event that I found interesting. It was related to a series of attacks. These attacks were carried out by a pro-Russian group known as No Name 05716, and they were carried out against Spanish entities. And why that happened? The trigger event was the arrest of several individuals that acted in the interest of this hacktivist group. The arrest was carried out by the Spanish Garde de Civil. And, of course, the hacktivist group started targeting websites of Spanish entities such as banks, transport companies, local authorities of multiple cities, tribunals, sports, and more. This shows that hacktivists would rather cast a wide net and target. As I mentioned earlier, anything remotely going against their ideology rather than focus on a specific target, which, in this case, the real adversary for them was the Garde de Civil. They were just very upset that some of their group members were arrested by this group. So, they don’t really care about the government institution itself. If they’re upset on something, they will just attack anything within that area. 

(TC: 00:15:21) 

Aidan Murphy: Yes, I think that brilliantly illustrates the point because, yes, like you say, so this is a great example of they’ve turned against Spain. And if you’re a bank in Spain, you may not consider yourself really the target of hacktivists. You may not even be aware that the Garde de Civil has made these arrests. But, in spite of that, the hacktivists do see you as their target because they don’t make the distinction, like you say, Vlad. You’re part of the Spanish infrastructure. They’ve turned against Spain as a whole, and then you are the target. One thing I did just want to touch on because I think we’ve talked around it a little bit, but, again, another thing I’ve written down as, kind of, one of the defining tenets of hacktivism is the tactics that hacktivists use. And you mentioned, Vlad, earlier, how these have evolved over time as hacktivism has changed. But, I guess, if we’re talking about modern hacktivism now, I think there are some tactics that we tend to see more commonly than others. So, Luke, you mentioned the use of denial of service. Vlad, maybe you could just give a little bit of an overview of the type of tactics we observe hacktivists using typically. 

(TC: 00:16:28) 

Vlad: Of course. So, the basic tactics usually involve any, kind of, attacks against branding. So, website defacement and spreading of misinformation. And then the next level is usually data leaks, which sometimes come bundled within an extortion attempt. So, in order to obtain the data, they also need access to the victim’s network, and that needs to be obtained based on the sophistication of that group. That involves using leaked or wake access credentials, social engineering, or maybe exploitation of technical vulnerabilities. But only in the case when the group is actually capable of doing that. You mentioned distributed denial of service attacks and, for that, some groups are renting out their infrastructure or their tools. But, on other occasions, we saw groups that even develop their own tools, and they were selling that or renting it as a service. An example of such a tool is called DDoSia. It’s a tool developed by a pro-Russian group. But now, more recently, things evolved even further, and it appeared that some hacktivist groups also started looking into ways of, like, obtaining actual financial benefits from their attacks. Groups like CyberVolk or AzzaSec started using actual ransomware. 

And AzzaSec even operated a name and shame block like other notorious ransomware groups, such as LockBit, for example. AzzaSec also claimed that they had a decentralized private military contract or ransomware as a service syndicate and a botnet operator. So, they used a lot of fancy words to describe themselves. It doesn’t necessarily mean it’s true. But if they’re saying that we have to, like, keep that in the back of our minds because we rarely know all their background. But, again, a lot of fancy words, and their blog is currently offline. So, yes, that says a lot about them. 

(TC: 00:18:26) 

Aidan Murphy: It’s interesting, though, because, like you say, I guess, this is the one you were alluding to earlier in the podcast. A little bit of a blurring of the lines between hacktivism and, I guess, broader financially motivated cybercrime in that case. Like you say, there have been a couple of examples of hacktivists using ransomware tools. But, I guess, just to go back to the more typical cases for a second and I’ll call on you, Luke. So, when we’re talking about the use DDoS, website defacement, and data exfiltration. I guess, for me, the things that unite these tactics and, again, just trying to find, kind of, commonalities between hacktivist groups, is that they’re designed to be quite public. Again, it’s not about extracting money. It’s about causing disruption and maybe even discrediting the target. Is that the right way to look at it? 

(TC: 00:19:20) 

Luke Donovan: Definitely. You know, the purpose of hacktivism is to influence perception to the wider general public. So, get their name out there, get what they’re fighting for out there. So, they need the ability to target organizations, to target governments, etc, but make it public so that people understand what they’re fighting for. Why are they doing this attack? Why are they taking this course of action? So, you will see these hacktivists groups, not all of them, but a fair few of them, will be more public, be more vocal. They will be out there, which makes it really interesting to go off and start  identifying them, tracking them, ‘Who are their targets?’ You can proactively identify, ‘Who could they target in the future?’ So, No Name, for example, who Vlad’s already mentioned. They specialize in DDoS attacks, and they have a channel on Telegram where they will list who they are going to attack and what ones have they attacked? And provide evidence as to who they’ve attacked. You’ve got defacement campaigns, again, as Vlad’s mentioned. There are whole websites dedicated to listing out the defacements which have been carried out and who’s carried out them. So, again, you can get a feel for, ‘What’s that actor or that hacktivist trying to achieve?’ By looking at their victims and, ‘why are they doing it?’ 

You know, going back to the NoName example, the DDoS attacks. As Vlad rightly pointed out, they have been targeting Spain, but they’re also targeting the UK. You know, the UK transport sector, the financial sector, the manufacturing sector. But they make it really clear and who and why they’re doing this. Anonymous as well. You know, Anonymous have loads of different campaigns and you can track their campaigns. They’ll usually use a hashtag and then ‘op’ followed by what campaign they’re running. So, you can see ‘Prussia,’ for example. What activities have they conducted or are planning to conduct against Russia? That has been an ongoing, sort of, TTP or modus operandi by that group is making it very clear, ‘Who are they targeting?’ I’ve done a piece of work, a couple of years ago now, for a UK government element who were targeted. The organization was hit. There was unauthorized access to some of their servers. They reached out and said, ‘Right, who’s targeted us? Who’s gained access to our systems?’ They didn’t have a clue, but by looking through historic information. By looking through messages posted about their infrastructure, posted about them as an organization. You can track down who was targeting them because they made it really, really clear. And the reasons why they were targeting them, ‘What were they targeting? And how were they going to target them?’ So, yes, they are very much more out there. You can view them. You can see them, their activities. 

(TC: 00:22:11) 

Aidan Murphy: More vocal? 

(TC: 00:22:12) 

Luke Donovan: Yes, absolutely. 

(TC: 00:22:14) 

Aidan Murphy: Yes, and this comes to something that, again, I find very interesting about hacktivist groups. I’m going to let you talk us through this, Vlad, but where do we typically observe hacktivism these days? 

(TC: 00:22:25) 

Vlad: So, I would say that hacktivists generally use instant messaging platforms like Telegram to promote themselves, to boast about their achievements, and also recruit new affiliates. Most notable hacktivist groups operate at least one Telegram channel because a lot of them have backup ones in case the main ones are getting taken down by Telegram or by law enforcement. Others are also active on platforms like X, formerly known as Twitter. And we saw some early signs at some point of migration to Signal, especially after the change of Telegram’s privacy policy. Which supposedly would enhance the platform’s exchange of information, including user IPs with law enforcement. And we have to understand why they use Telegram so much. Well, it’s free. It’s easy to create channels and group chats and to manage them. It’s used heavily as a marketing tool. It allows hacktivists to gain easy exposure thanks to the really large user base. It’s used for recruiting, as I mentioned, and there’s a low chance of getting their channels taken down due to a rather permissive moderation approach. What they share on Telegram, it really depends on each group. Before the attack, we don’t really see much. 

Sometimes, there are announcements being made, mentioning upcoming attacks, but usually, the posts are being created during or after the actual attack. Screenshots of websites taken offline during a distributed denial of service attack, samples of data if breaches occur, videos. And any additional details, basically, such as information captured from the compromised resource, and so on. 

(TC: 00:24:13) 

Aidan Murphy: Did you want to come in on that, Luke? 

(TC: 00:24:15) 

Luke Donovan: Social media is also one of those other sources worth investigating. Again, it depends on what organization you are and your assets, your infrastructure, who might be targeting you. So, oil and gas, for example, you can look on social media. You can look across Facebook. You can find groups who will be targeting the oil and gas industry. There are dedicated, clear websites out there who are targeting these groups. Now, although we say a lot of this information, you can gather this information, you can understand what their plans are. Some of it is closed off. You know, Vlad’s already, sort of, mentioned the use of Signal, for example. It’s the same on clear websites, social media as well. There are these closed areas where, if you can gain access to them, you can then start working out exact dates, times, who’s involved in these operations. So, it’s not only the dark web. It’s those Telegram channels. It’s your social media. You can see it all over, but it will depend on what you are protecting yourself against or why somebody might target you, in terms of where that information could be posted online. 

(TC: 00:25:27) 

Aidan Murphy: Yes, and I think the use of Telegram, in particular, I find really fascinating. For anybody who’s interested, we did do a previous episode on Telegram and other messaging channels, including Vlad her,e who is the expert. I remember you showing me some of these Telegram groups, Vlad, the hacktivist Telegram groups, and they’ve got thousands of followers. And, like you-, as you were saying, Luke, it is quite startling how much they actually do share, and you realize when you look at them. And, again, there are dozens of these groups that the thing is they’re not trying to hide it. The whole point of it is to publicize it because they want to discredit their targets. And, effectively, it’s propaganda, right? So, it is different to other types of cybercrime in that sense because, for example, if you’re just a pure data extortion group doing it for financial gain, you know, you don’t want to publicize it because you don’t want to tip off your victims. You don’t want to draw attention of law enforcement. 

You don’t want to draw attention of anybody, really. So, you might be using, again, what we usually talk about on here, the dark web. You might be using, kind of, very closed sources, but hacktivism is different and I think even if we think back to Anonymous. I mean, again, when most people think of Anonymous, I’m sure the first thing they have is that image of the V for Vendetta mask that was, kind of, taken onboard and it’s iconography of the Anonymous group now. Because, again, kind of, building these brands is part of it. Would you agree with that, Luke? 

(TC: 00:26:56) 

Luke Donovan: Absolutely. You know, you’ve got to brand yourself. What is it you’re fighting for? What is it you are aiming to achieve? How do you want to influence those individuals, build up that persona around you as a group? And then through that, you can engage with the community then, as well. So, the community will start engaging with you, and there are groups out there who are really heavily involved in the community. Whereby, you know, they’ve proved themselves in terms of what they want to achieve, and now people will go to those groups and say, ‘Right, can you hit this target? Can you hit this target?’ Because they’ve got that brand. They know what they’re fighting for. Other people will go with them with similar targets. So, that hacktivist group can then review those targets and go, ‘You know what? Yes, this hits our ideological, sort of, standpoint. Let’s review this. Let’s go off and target them.’ So, building up that persona, building up that presence. 

(TC: 00:27:56) 

Aidan Murphy: They have an ideology behind them and often a, kind of, philosophy that they’re trying to push as well, and that’s part of it. And, like you say, they’re trying to get the followers. I think maybe at this point it might be good to bring in some examples, if that’s okay. And going back to what we were talking about at the beginning, about how these groups have become increasingly geopolitically aligned. Vlad, are there any examples you can, kind of, give the listeners of the kind of groups we see today and their alignments, I guess? 

(TC: 00:28:26) 

Vlad: Of course. So, I would like to start off by mentioning that a lot of the current hacktivist activities are related to a small number of major world events, such as, let’s say the Russia-Ukraine war and the Israel-Palestine war. We saw hacktivists choosing sides, generally in Russia’s interest and attacking entities from countries that supported Ukraine, as we already mentioned. The most notorious example has already been called out, No Name 05716. They launched hundreds of distributed denial of service attacks. But, on the other side of the fence, we have Blackjack, which is a hacking group linked to the Ukrainian intelligence services, and, of course, their main target is Russia. And what’s interesting about them is that they use the wiper  malware known as Shamoon and also the notorious ransomware LockBit among other operators like, let’s say, I don’t know, Anydesk. This is a very good example of a case where hacktivism and state-aligned operations cross paths. Moving over to the Israel and Palestine conflict, we saw Handala Hack Team, which is a pro-Palestine hacktivist group which gained notoriety in the past year, I would say, attacking more than 70 Israel-based entities. 

This group appears to be more sophisticated than the average hacktivist group. They also engage in data exfiltration. They conduct supply chain attacks, and they operate a shaming block. The group, of course, is also active on Telegram, where they share a lot of anti-Israel information. There are all sorts of other examples. There are examples of hacktivists that don’t necessarily operate on Telegram channels, but they do strongly act in the Russians’ interest. For example, a major event recently, actually, a chain of multiple events, were elections across the world. These groups, their objective was to manipulate the public to vote for a candidate who viewed Russia as a possible partner rather than a threat. So, they were spreading misinformation, mostly on TikTok, on Telegram. Such campaigns were observed in 2024 in the US, in Croatia, in Romania. So, they don’t really care about the country as long as they can manipulate the masses into voting into something that Russia can gain benefit from. 

(TC: 00:30:56) 

Aidan Murphy: That’s really interesting. That, kind of, yes, the influence campaigns as well. Luke, I’m going to call on you and see if you have any, kind of, examples you wanted to pull out too. But maybe just to ask you a question, first. We talked about the, kind of, geopolitical alignment. What distinguishes hacktivists from purely state-backed groups? So, again, I think many of the listeners will also know of, kind of, these APT groups. So, these, kind of, really sophisticated, maybe working with the explicit or implicit backing of the state or intelligence agencies. Hacktivists are seen as a bit distinct, but are they, or are there blurred lines? 

(TC: 00:31:39) 

Luke Donovan: Yes. I’d say historically they were distinct. What hacktivists wanted to achieve compared to what your nation-backed groups and nations, generally, wanted to achieve. Now, that goes back to that first point which you raised, Aidan, about the, sort of, evolution of hacktivism. You know, initially, hacktivism-, or the second, third stage of hacktivism, it was anti-government. That goes against what a lot of these government entities are after. As time’s gone on, however, they are becoming more aligned. They can be used as a proxy to serve a nation. So, there are those groups who will work with the nations. I think Vlad mentioned one, for example, which draws both those parallels together. That nation-backed groups, what does the state want to achieve? And these hacktivist groups joining them together. 

(TC: 00:32:37) 

Vlad: I just wanted to say that as technology evolves and most entities out there they are getting better and better at defending their networks. Hacktivists generally do not have a lot of financial means, and state-backed actors, they do have all that resourcing. They do have all that infrastructure needed to successfully attack certain entities. So, this is where hacktivists start losing their powers, basically. It’s harder and harder for them to target specific entities, and they need some, sort of, support from somewhere, and sometimes that support comes from a nation state. 

(TC: 00:33:18) 

Aidan Murphy: That’s an interesting way to look at it as well. Okay, so, I guess, there are two different angles there. So, one is these hacktivist groups, like you say, Luke, just being, kind of, used for proxies. And if they’re doing damage to other states, then that’s broadly aligned with the state that they’re within, their goals. Then maybe they’ll just be left to their own devices. But what you’re saying, Vlad, is they’re actually trying to collaborate in order to get more resources to conduct their attacks. You brought up a couple of times now the sophistication of hacktivist groups and I’m going to caveat right at the beginning here that this is a broad spectrum, and it’s very hard to talk about hacktivist groups generally. There will be some that are more sophisticated than others. Some that have much larger resources. Some that could just be, you know, a couple of people. In general, in your observations, would you say that hacktivists are on the lower scale of sophistication compared to the wider cyber criminal ecosystem, Vlad? 

(TC: 00:34:22) 

Vlad: Usually, yes. I would say yes, but, I mean, most hacktivist groups out there, they’re just a bunch of kids with access to the internet and Telegram, basically. So, they don’t-, they’re not capable of carrying out sophisticated attacks. But in recent years, that scale, kind of, shifted a bit towards more sophisticated groups. But, again, this is still heavily inclined towards lower sophistication at this point in time. But we do see more and more groups starting to use ransomware, as I mentioned, or starting to engage in more sophisticated campaigns. We’ll see what the future holds on this topic, but at this point in time, right now, I would say the scale, kind of, still tips towards lower sophistication groups. 

(TC: 00:35:12) 

Aidan Murphy: Okay. So, maybe another evolving trend, but, like you say, at the moment, it’s-, if you’re making broad statements, which I know we don’t like to make, you would say, ‘Maybe still towards the less sophisticated side.’ Did you want to come in on that, Luke? 

(TC: 00:35:25) 

Luke Donovan: Yes. I’d agree with what Vlad’s saying, but you also see sophisticated groups with significant capabilities who will exploit hacktivists, who will exploit the ideological side of things. So, you know, there are ransomware groups out there, very sophisticated, gain access to systems, encrypt data, extract data, put it on their extortion sites. Who will turn around and state, ‘We have targeted this organization. We are posting this information because of ideological reasons.’ Some of that you need to take with a pinch of salt. But these are highly capable individuals who have potentially jumped on that bandwagon of using hacktivism as a ways, means of justifying their actions, but being financially motivated. 

(TC: 00:36:14) 

Aidan Murphy: Yes, and, I guess, like you said, Vlad, maybe that trend comes from, slightly, these global conflicts, intensifying the geopolitical situation. And then ransomware groups can, you know, jump on that bandwagon and use it to justify their actions as well. One trend that you flagged to me last year, Vlad, was almost like a teaming up of different hacktivist groups using-, I know we’ve talked a little bit about it already, but you saw quite a lot of groups that were aligned, maybe, with the same broad ideological motivations. But I remember you showing me, kind of, team-ups of dozens of hacktivist groups along a certain goal. Could you maybe explain that trend to the listeners a little bit? 

(TC: 00:36:56) 

Vlad: Some groups do, and they choose to join forces, and at some point in 2024, there was an alliance of over 70 hacktivist groups known as the Holy League. This Holy League was made out of two other smaller associations, the one named High Society and the other 7th October Union. They were generally pro-Russia, anti-Israel, and anti-West in general. On a few occasions, members were also targeting India even though there was one hacking group-, one hacktivist group in that alliance based in India. So, there’s, kind of, a conflict of interest over there. It didn’t really last long, though. I mean, as of 2025, most groups continued their activities by themselves. There are only six or seven groups still part of this alliance. At least based on their Telegram presence, but again, this alliance was actually more of an echo chamber rather than a focus of power and resources. So, they were just re-sharing their achievements, one for the other. They weren’t really focusing their powers to conduct large-scale attacks. 

(TC: 00:38:07) 

Aidan Murphy: I think it was a very fascinating trend because, like you say, within that mix, you have lots of different ideologies going on, and you can see where they might be common areas in the Venn diagram, but it doesn’t-, it’s not massively shocking to me that it didn’t last. The Holy Alliance didn’t last very long when they all have maybe slightly competing ideologies as well. To that last point you just made about people using it as an echo-chamber, promoting their attacks. Maybe you can come in on this, Luke. How much should we be taking hacktivists’ claims on face value? I see quite a lot when you read about different hacktivist attacks, about they claim to have conducted a DDoS attack, but maybe the website only went down for two minutes or something. How much skepticism should people have when they see hacktivist claims on things like Telegram or elsewhere? 

(TC: 00:38:59) 

Luke Donovan: This is where it comes down to the reliability and credibility of the different groups. You have to take each group separately and work out, ‘What have they done in the past? What evidence is there to support their claims, their actions?’ Because some, they will try and pull the wool over people’s eyes, saying, ‘Look what we’ve done,’ when, actually, they haven’t done anything. Whereas others, you know, are hitting a lot of targets and they’re providing the evidence of it. So, it would completely depend on what group you are dealing with at the time. 

(TC: 00:39:26) 

Aidan Murphy: Because, I guess, there is a motivation for them to not necessarily be truthful. I’m not the first person to have said this, sort of, reading around about this topic. A lot of people say it, but even if they give the impression that they’ve managed to, for example, compromise quite a big entity. The reputational damage they can do to that country, you know, making people believe that their state isn’t as secure as they thought it was. That can be enough. So, whether they’ve actually conducted the attack at all or if they conducted the attack, but not to the extent they claim, there is a motivation for them not to necessarily be truthful. 

(TC: 00:39:59) 

Luke Donovan: There is, and, again, it comes down to, ‘What is their aim?’ Their aim is to, sort of, incite instability within organizations, within countries. It’s to influence that perception again. So, if they can jump on something which has happened and stated they were behind this. You know, and get that knowledge out there, it’s helping them achieve their aims. 

(TC: 00:40:22) 

Aidan Murphy: Yes, and, I guess, maybe just to wrap up, then. So, Luke, you’ve talked about this a little bit, but maybe I’ll ask each of you. What would you recommend that security professionals listening to this. How should they go about, I guess, preparing for the hacktivist threat, and what can they do to protect themselves? Maybe, Vlad, I’ll call on you first. 

(TC: 00:40:43) 

Vlad: Yes. So, I mean, any, kind of, general cybersecurity defenses can be taken against these groups. They are, after all, employing similar TTPs as any other hacking group out there. So, first of all, continuously monitor hacktivists and their targets, and their choice of targets in terms of regions, industry. Especially if you are active in the critical infrastructure or military, or defense. You have to really make sure that you’re monitoring these groups. There are multiple commercial services and products that help mitigate DDoS attacks, for example, and protect your infrastructure. You really have to monitor your attack surface and infrastructure continuously for any signs of attempted intrusions. But this can also help with defending against financially motivated groups, not only hacktivism. So, most general advice out there is also applicable in the hacktivist region. 

(TC: 00:41:43) 

Aidan Murphy: I guess, but it’s also just being aware that you might be targeted by a politically or ideologically motivated group as well as a financially motivated group. Right, Vlad? It’s that understanding that someone might just be out to deface your website or take your services down and not necessarily be looking to steal your data. And, obviously, those are both threats that you should be prepared for. From your perspective, Luke, what can people be doing against hacktivist activity?

(TC: 00:42:13) 

Luke Donovan: Yes. So, I’d agree with Vlad. You know, there are vendors out there which you can utilize. As we’ve already discussed, these hacktivist groups, they can be noisy. They want to get their names out there. They’re going to inform you, ‘Who are they potentially going to target?’ So, you could go off. You could look across open source data and try and find mentions of your name, of your organization, of your assets, and then monitor for that to give you that early warning that you are potentially going to be attacked. However, I’d take a further step back, you know, because that’s where we look at the tactical level. You know, ‘What can you do as an organization?’ But quite often we forget about the more operational strategic level. There are different frameworks out there which you can utilize in order to make sure you are prepared. Making sure you’ve got more of a holistic view of your organization. One of these frameworks it’s a thing called the intelligence preparation of the operational environment. So, there are four stages to this. And I’ll bring it up now because I do think it’s relevant not only to hacktivists or hacktivism, but also wider, sort of, cyber threats towards organizations. 

So, there are four steps. The first step is, sort of, defining your operational environment. So, how are you operating? What are your areas of interest? What are the characteristics of your business? If you understand the characteristics of your business, you can start to understand who might target you, and why might they target you? The second one is to look at those characteristics and understand the environmental impact or the effects on your operational environment. So, how do changes within your operational environment create challenges to you and also provide opportunities for adversaries? Okay, so are you moving into a new geographical location? If so, what impact does that have on you? What challenges does it have, and how can that impact your adversaries? Third phase is to evaluate the threat. So, because you’re seeing these changes or you’re trying to identify these changes, how will that impact your threat actors? You know, who might target you now because you’re changing the way you’re operating? What are their capabilities? What are their TTPs? When you get a feel for that, again, you’re going to be forearmed. And the last bit is, sort of, determining adversary course of action. 

So, there are going to be threat actors out there. There’s going to be loads of threat actors out there, but what are they going to be doing against you? So, then, you can start, sort of, profiling these groups, working out, ‘Okay, I am concerned about hacktivists. What hacktivists might target me? So, I can go off and do my research. How do those hacktivists operate? Is it that they only operate on DDoS attacks? Is it that they try and gain unauthorized access to extract my data and post it online? So, what threats am I looking at?’ And then, through all of those steps, you can then put together, sort of, your security parameters. You can protect your organization in a more holistic approach. 

(TC: 00:45:20) 

Aidan Murphy: I think that’s a really helpful way of looking at it, and I think something you said to me before, Luke, is that I don’t know if maybe good news is the wrong way to put it. But, kind of, the good news about hacktivists is, like you say, if you’ve gone through that process and you’ve identified that that’s something within that model you need to be concerned about. The good news on hacktivists is that there is a lot of information out there to profile them because, as we’ve been talking about, they are public by nature, a lot of them. So, it’s a slightly different prospect than, again, data extortion or something like that. In that you can go out there onto Telegram or onto social media, and if you are gathering the right sources, you can start to, kind of, build a profile of the tactics used by the groups who might likely target you. 

Great, well, that seems like a good note to draw a line under this episode of The Dark Dive. A big thank you to Luke and Vlad for joining me. The Dark Dive will be back with a brand new topic next month. Make sure you don’t miss it by following us for free on Apple Podcasts, Spotify, YouTube, or whatever app you use to listen to your podcasts. And, remember, if you have a question for us, a guest, or a topic you’d like us to cover, you can get in touch with us through the contact details in the show notes. Until next time, stay safe.