Horizon Scanning: Hacktivism

Published By:
Published ON:
November 3, 2017

Our historical understanding of protest as a means of political upheaval tends to be rooted in the idea of direct conflict between two clearly defined agendas or ideologies – between grassroots activism and state apparatus, for instance. We imagine crowds marching and holding placards, voicing their dissent in unison.However, as we become increasingly interconnected and conduct more of our lives online, technology is changing our conceptions of protest and direct action altogether.Traditionally, participation in dissent usually required some level of organising with other like-minded individuals, and some kind of direct, physical activism – often occupation, disruption or destruction of spaces and property.Technology is changing this model - the opportunities for digital disruption have exploded. Emboldened by the anonymity of the internet, modern hacktivists are overcoming the technological barriers to entry and risking increasingly punitive deterrents to take the fight online, and there are some emerging trends worthy of closer inspection.

The Lone Wolf

Traditional protests depend on the occupation of physical space to be successful. The impact of strike action, for instance, is often directly proportional to the number of bodies in attendance.Hacktivist operations also depend on coordinated effort between group members, but participation is often remote and geographically dispersed. This convenience is a double-edged sword: whilst it may attract a wider audience, it’s also a solitary activity; the IRC channels used by Anonymous to garner support for their global operations are a fundamentally less cohesive environment than a picket line. Without unifying experiences, individual biases can play a much larger role, and with so many injustices in the world to choose from, it is likely that causes championed in group forums will not satisfy some group members.As more hacktivists become technically capable, one of the major developments that we are likely to see is an increase in ‘lone wolf’ action. Perhaps the most famous example is Phineas Phisher. His anti-surveillance ideology led him to hack two major surveillance tool vendors, and in another attack, he allegedly stole £8000 in Bitcoins and donated the funds to a Kurdish group.A notable aspect of a skilled Lone Wolf hacktivist is their ability to have a disproportional impact in drawing attention to a particular issue or organisation. For now, there appears to be few cases of individually-minded hacktivists with that level of capability.

Physical Disruption

We don’t typically think of critical national infrastructure as being vulnerable to hacktivism, but politically-motivated threat actors are increasingly demonstrating their ability to have a physical impact on the world. Nation states have used malware to sabotage equipment in a nuclear facility as well to cause disruption to electricity distribution. Organised crime groups (OCGs) have forced many hospitals to cancel operations and to temporarily close wards. An OCG has even knocked heating systems offline (albeit unintentionally). How long before we see cyber protests having a physical impact? Protesters from previous generations, such as animal rights demonstrators and eco-activists, have already shown such intent.Website defacement is one of the most popular forms of hacktivism today, as it allows groups to clearly transmit their message to a larger audience, gaining traction in news coverage and among potential recruits. More recently however, hacktivist groups are targeting physical media in the public eye.For instance, in July 2016, the flight display screens at Vietnam’s two largest airports were defaced with derogatory messages questioning the legitimacy of Vietnam and the Philippines’ claims to areas of the South China Sea. Operators of airports in Hanoi and Ho Chi Minh City briefly had to halt electronic check-ins as a series of systems were attacked. The hack was claimed by a Chinese group called 1937CN. Attacks like this can have real-world impacts, and are likely to become more common as groups become more emboldened.


It often appears that the dark web is a safe haven for all kinds of nefarious activity. Not only is there is an abundance of easily accessible carding sites and drug markets, it’s also the common locus point of choice for terrorists and paedophiles to operate in closed forums, shielded by various encryption and evasion tools.For law enforcement agencies, the dark web represents an insurmountable challenge, emblematic of the sheer magnitude of illicit internet activity they have neither the resources nor the skill retention to combat.Consequently, vigilante groups are taking matters into their own hands. Groups such as Dark Justice and The Hunted One have sprung up to snare sex crime suspects, with one case leading to a violent exchange. Established groups such as GhostSec and Anonymous have been exposing and taking down social media accounts and websites associated with terrorist propaganda and child pornography. This trend in vigilantism is likely to grow as cyber becomes ‘mainstream’. However, the potential cost is the disruption of months or even years of police work. Some, on the other hand, argue that it could be beneficial for police to collaborate with such groups.

State-Sponsored Hacktivism

Outsourcing to civilian Advanced Persistent Threat (APT) groups has long been a tactic used by governments to create plausible deniability within cyberspace, with Russia often considered the chief perpetrator. Nation states and their affiliated APT groups are typically associated with cyberespionage activity, but we’re also seeing cases of collaboration between hacktivist groups and state-led information operations.Several hacktivist groups have been suspected of being sponsored by, or at the very least, supported by their governments. Syrian hackers for instance initially formed the Syrian Electronic Army (SEA) to support the government of President Bashar al-Assad. SEA typically targeted political opposition groups, western news sites and government websites in Europe and the Middle East. Despite appearing to be a hacktivist group, the SEA for a short time were hosted on the computer network of the Syrian government. Iranian hacktivists Izz ad-Din al-Qassam Cyber Fighters have also been suspected of having links to their government.Hacktivist forging closer links with their governments could become a more common occurrence, particularly in regions with a longstanding rivalry or conflict. Indian and Pakistani hacktivists, for example, are currently engaged in an ongoing cyber war which has led to the defacement of hundreds of government websites on both sides. Although there is no evidence of collusion with their governments, it is easy to see how countries with a similar relationship might engage in hacktivist proxy wars.When compared with other threat actors such as intelligence agencies and OCGs, hacktivists are often seen as a lesser threat. Their limited capabilities and budgets means we have yet to see their full potential. However, as hacking knowledge spreads, and more automated tools are developed, whilst anti-capitalist, anti-establishment and other social and ideological sentiment continues to rise, this will change. Lone wolf activity, vigilantism, physical disruption and increased nation state collaboration could be the result.

Find out more about our cyber intelligence services