In 2010, a new cybersecurity threat emerged: hacktivism, a combination of hacking and activism. It gained attention through campaigns like Operation Payback and Operation Avenge Assange, targeting the recording industry and financial services that halted donations to Wikileaks.
Today, elections are a common target for hacktivists. In democratically elected societies, some amount of conflict around elections, lawmaking and policy enforcement is part of the system. Open debate is how we negotiate as a collective whole and how we establish societal norms. However, the low barrier to entry for hacktivism means that a lot of very contentious topics can spill over to online attacks. And when seen from the viewpoint of an authoritarian government, this conflict in our system is a weakness that can be exploited and used to divide us even further apart. One method to do that is to use hacktivist attacks to support and antagonize both sides of an issue.
The year 2024 marks an election period in the United States and other countries, presenting another opportunity for political hacktivism to emerge. In July, the FBI and the U.S. CISA issued a joint alert highlighting an increase in hacktivist DDoS attacks associated with the upcoming elections.
This reflects the overall rise in hacktivism observed over the past two years, primarily driven by increased activity from Russian hackers and their allies. Each week since October of 2022, Killnet and the ecosystem of associated hacktivist groups have systematically targeted different organizations and countries based on geopolitical themes: support for Ukraine, economic sanctions against Russia, critical infrastructure, or other unrelated targets as opportunities for intimidation and public exposure. Elections are an opportunity for the publicity that hacktivists seek but also to alter the election outcome or related public policy. And the statistics show it: in Vercara’s 2024 Biannual DDoS Report, data showed a staggering 186% increase in DDoS attacks compared to 2023, highlighting the escalating trend in disruptive cyber activities. A notable trend in the attack statistics is the frequent targeting of shared infrastructure providers, such as cloud services or hosting centers, when one of their clients is attacked.
Throughout this late spring and early summer, Russian hacktivists have focused on enhancing their skills and capabilities and they claimed to be using the Olympics as a highly public event that they used as an opportunity to teach new operators how to conduct attack campaigns.
The result of this investment is that they now have a trained cadre of attack operators in time for this year's election season. And they are not afraid to use them. In June, NoName57(16), part of the Russian hacktivist ecosystem, reported conducting attacks targeting the Dutch and broader EU elections.
The definitions of hacktivism have often been unclear. As an incident responder for numerous hacktivist operations, I have observed the uncertainty in determining how many hacktivists are genuinely using their own skills and equipment, how many are foreign intelligence agents using government-owned resources, or how many fall somewhere in between. In 2011, the conventional wisdom in the incident response community was that anyone could claim the hacktivist label, even if they were state-sponsored hackers. Some attacks, like the 2012 DDoS attacks against U.S. financial services during Operation Ababil, exhibited a higher level of professionalism, evident in the uniformity of the attack traffic and the large botnet that was used to target its objectives.
This still applies today, and we see hacktivist groups form, be incredibly active for 6 months, and then cease activity and be replaced by a different group but with the same people under a different name. This confusion around purposes and who exactly is launching attacks leads to a lot of misinformation that has spilled over to social media and other kinds of user-generated content. The raid in July by the Department of Justice, FBI, and partners of a social media botnet backed by generative AI shows that the U.S. government considers this activity to be worthwhile to investigate and prosecute.
I have been doing this for a long time, including incident response for a lot of high-profile attacks, and the only real constant is that attacks will continue, we are constantly at a period of increased risk to attacks, and hacktivism is no exception.
So, what can you do about this increase in hacktivism and the threat level?
Focus on business resilience
Most hacktivist attacks involve a large spectrum of attacks and impacts. While preventative and detective controls need to be implemented in any security program, hacktivists are incentivized to find weaknesses in them. For this reason, corrective controls are worth their weight in gold when it comes to dealing with hacktivist attacks.
Win the PR fight
Frequently, the goal of hacktivist attacks is publicity for their cause or to intimidate the target. Conducting incident response activities and involving your PR team proves valuable when targeted, and you must respond publicly. Run exercises around non-InfoSec scenarios such as a hostile misinformation campaign and political events.
Build and maintain DDoS mitigation capabilities
DDoS for most companies is a high-impact, low-frequency event. Because of this, you never have enough preparation or budget. Running exercises such as tabletops, on-ramps to service providers, and full attack tests can identify unprotected infrastructure or applications, your capabilities to on-ramp.
Counter social media bots
Most social media bots use Application Programming Interfaces (APIs) that have a hard time identifying real humans on a mobile device with an AI-generated bot because they lack context. Using good bot management solutions helps significantly for any user-contributed content, but also every company should have a capability to refute misinformation on social media or news sites.
Build scalable anti-phishing controls
User training for individuals inside the company that receive incoming public inquiries, for instance, the email addresses listed on your website as contact information, can help mitigate a lot of attacks. Protective DNS is a category of solutions that can detect and block phishing domains based on data analysis in the DNS query.
The bottom line
Hacktivism and related attacks present a tangible threat to the integrity of democratic elections and very often spill over to other unrelated organizations. By understanding the risks and implementing strategic measures, targeted organizations can protect their business and processes against potential disruptions. By remaining vigilant and proactive, we can defend democracy in the 2024 election and beyond, ensuring that the voice of the people remains protected and respected.