Weaponized Hacktivism: How Countries Use Activists for Cyber Warfare

by do son · December 19, 2024

The intersection of hacking and activism, commonly known as hacktivism, has transformed into a formidable force in the digital era. Trellix’s latest report explores how these groups are increasingly intertwined with the geopolitical ambitions of nation-states. As cyberattacks become tools of warfare and influence, the report sheds light on the players, tactics, and implications of state-linked hacktivism.

“From exposing government corruption to advocating for social justice, hacktivists have employed their skills to challenge authority, disrupt and promote change,” notes Trellix. However, in recent years, their activities have taken on a more ominous tone. The report highlights how the Ukraine conflict and tensions in the Middle East have catalyzed hacktivist activities, with nation-states like Russia and Iran allegedly providing covert support to these groups.

Russia’s involvement stands out, with hacktivist groups like the Cyber Army of Russia Reborn (CARR) and NoName057(16) playing key roles. According to the report, “The activities performed by such groups can be categorized in four categories, denial of service attacks, defacement attacks, propaganda dissemination and information leakage.” Notably, the alignment between CARR and Sandworm Team (APT44), a group linked to Russia’s Main Intelligence Directorate (GRU), points to deeper state connections.

In Iran, the lines between hacktivism and state-sponsored cyberwarfare are even blurrier. Groups like Emennet Pasargad operate under the aegis of the Islamic Revolutionary Guard Corps (IRGC), conducting cyberattacks masked as hacktivist activities. Their operations often involve “hack and leak” campaigns targeting U.S., Israeli, and European entities. Trellix observes that these campaigns are designed to disrupt elections and spread confusion during conflicts, such as the ongoing war in Palestine.

One of the most concerning trends identified in the report is the collaboration between hacktivist groups. Russian-affiliated groups like CARR, NoName057(16), and the recently formed Z-Pentest have formed alliances to amplify their operations. As Trellix details, “The group formed an alliance with CARR and NoName057(16) to support their operations only a few days after they started to operate.”

Such alliances not only increase the scale of attacks but also blur the lines between hacktivism and advanced persistent threats (APTs). This collaboration enables groups to transition from defacements and DDoS attacks to more destructive tactics like ransomware deployment and wiper malware.

Byte Blitz accounts on Twitter, Telegram, and Instagram | Source: Trellix

The alignment of hacktivist activities with geopolitical events underscores their strategic value. As Trellix concludes, “Hacktivist groups with a Nation-state linked, either state-sponsored, state-influenced or allowed present a complex and evolving threat landscape.” The report warns that the frequency and sophistication of these attacks are likely to increase as cyber conflict becomes an integral part of geopolitical strategies.