hacktivism – SurfWatch Labs, Inc.

Weekly Cyber Risk Roundup: Charlottesville Sparks Hacktivism and Controversy

The politics surrounding the “Unite the Right” rally and its counter-protests in Charlottesville spilled over into the cyber world this week as hacktivists took action against websites and a debate emerged around the ethics of hosting white nationalist websites as well as doxing individuals who attended the rally.

Under the hashtag #OpDomesticTerrorism, hacktivists have urged DDoS attacks against white nationalist websites and posted leaks of some of those websites’ alleged members. In addition, the hacking group known as “New World Hackers” said it carried out a DDoS attack against the Charlottesville city website to “deliver our own version of justice to the KKK and government.”

Other individuals began to search through the many images of the “Unite the Right” rally in order to publicly identify those who attended the event. The man behind the Twitter account “Yes, You’re Racist” called on users to help identify the “nazis marching in #Charlottesville” so he could “make them famous.” However, not all the doxing attempts were accurate. For example, an assistant professor at the University of Arkansas was wrongly identified and said he eventually had to call the police due to numerous threats being made against him and his wife as well as their home addresses being posted online. The man behind the Twitter account said he’s received death threats over the doxing as well.

Technology companies were also brought into the debate. GoDaddy, Google, Cloudflare, Zoho, Sendgrid, and Discord all cut services to the Neo-Nazi website The Daily Stormer, USA Today reported. However, those actions led to a rebuke from the Electronic Frontier Foundation for private companies “decid[ing] who gets to speak and who doesn’t.”

Other trending cybercrime events from the week include:

HBO troubles continue: The hacking group OurMine temporarily hijacked several HBO social media accounts. In addition, the group of hackers that breached HBO in late July has continued to leak stolen episodes and other documents. Authorities also said that four current and former employees at Prime Focus Technologies, which handles Star India’s data, have been arrested on suspicion of leaking a Star India copy of the August 7 episode of Game of Thrones. Finally, a third-party vendor accidentally posted the August 20 episode of Game of Thrones on the HBO Nordic and HBO España platforms, and that episode was quickly pirated.

DDoS attacks make headlines: DDoS attacks against Blizzard disrupted services for several popular games, including Overwatch and World of Warcraft. The website of Ukraine’s national postal service Ukrposhta was the target of a two-day long DDoS attack that caused slowdowns and interruptions for the website and its services.

More ransomware infections: LG Electronics said that the self-service kiosks at some of its service centers were infected with ransomware, causing some access problems. The ransomware appears to have been identical to the WannaCry ransomware that made headlines in May, officials from the Korea Internet & Security Agency said. Pacific Alliance Medical Center said that a June 14 ransomware infection may have compromised the protected health information of patients.

Data inadvertently exposed: Voting machine supplier Election Systems & Software exposed the personal information of more than 1.8 million Illinois residents due to an insecure Amazon Web Services device. ES&S said the exposed server did not include “any ballot information or vote totals and were not in any way connected to Chicago’s voting or tabulation systems.” The Texas Association of School Boards notified some school district employees that a server containing their names and Social Security numbers “inadvertently became visible on the Internet.”

Other notable incidents: Surgical Dermatology Group in Alabama is notifying patients that their personal and healthcare information may have been compromised due to a breach at its cloud hosting and server management provider, TekLinks, Inc. City of Hope said that it is notifying patients that their medical information may have been compromised following an email phishing incident that led to four employee email accounts being compromised. OSHA has suspended access to its new Injury Tracking Application (ITA) after it was notified by the Department of Homeland Security of a potential breach of user information. The Scottish Parliament said it was the target of a brute force cyber-attack and members of parliament and staff with parliamentary email addresses were warned to make sure their passwords were as secure as possible. A former Columbia Sportswear information technology manager was charged with one count of computer fraud for allegedly accessing the company’s computer systems for more than two years after leaving the company.

SurfWatch Labs collected data on many different companies tied to cybercrime over the past week. Some of those “newly seen” targets, meaning they either appeared in SurfWatch Labs’ data for the first time or else reappeared after being absent for several weeks, are shown in the chart below.

Cyber Risk Trends From the Past Week

One of the week’s most notable advisories involved the software vendor NetSarang and a backdoor dubbed “ShadowPad” that was shipped out with a July version of the company’s products.

“Regretfully, the Build release of our full line of products on July 18, 2017 was unknowingly shipped with a backdoor, which had the potential to be exploited by its creator,” NetSarang said in a statement. “The fact that malicious groups and entities are utilizing commercial and legitimate software for illicit gain is an ever-growing concern and one that NetSarang, as well as others in the computer software industry, is taking very seriously.”

The issue was first discovered by a financial institution partner of Kaspersky Lab — which described the backdoor as “one of the largest known supply-chain attacks” — after discovering suspicious DNS requests originating on a system involved in the processing of financial transactions. Those requests were later discovered to be the result of a malicious module hidden inside a recent version of NetSarang software.

“If the attackers considered the system to be ‘interesting,’ the command server would reply and activate a fully-fledged backdoor platform that would silently deploy itself inside the attacked computer,” Kaspersky wrote. “After that, on command from the attackers, the backdoor platform would be able to download and execute further malicious code.”

That malicious module has been activated at least once in Hong Kong, but it is possible that other organizations have been infected, the researchers said. NetSarang said that the affected builds are Xmanager Enterprise 5.0 Build 1232, Xmanager 5.0 Build 1045, Xshell 5.0 Build 1322, Xftp 5.0 Build 1218, and Xlpd 5.0 Build 1220. Organizations using those builds should cease using the software until an update can be applied.

Hacktivists Use Automated Tools, Growing Reach to Target Government Organizations

Despite recent media attention surrounding nation-state hackers infiltrating government organizations and attempting to influence elections, the bulk of government-related cybercrime tends to be driven by less sophisticated and more ideologically-motivated campaigns carried out by hacktivist actors, according to a new report from SurfWatch Labs.

govriskchart — Government sector risk scores compared to the average for all sectors over the past year.

Government is the third most active sector when it comes to cybercrime, behind only information technology and consumer goods, and more than a third of the government CyberFacts collected by SurfWatch Labs this year have been related to hacktivist activity — far more than any other sector.

“The global reach of the Internet and social media along with the relative anonymity of cyber-attacks has provided hacktivists with a larger platform than ever to share their message, recruit new actors, and ultimately impact organizations,” noted the report, Cybercrime Gets Political: Automated Tools and Growing Reach Empowers Hacktivists.

It continued: “As a result, the most common cybercrime story in the government sector has involved websites and data being targeted by hacktivist groups resulting in service downtime, website defacement, and various types of information being stolen and publicly leaked.”

government-atep-4 — SurfWatch Labs’ data shows that hacktivists have been the top trending actor category across many different government subgroups so far this year – in some cases appearing in more than two-thirds of CyberFacts.

Hacktivist-driven data breaches are not a new problem for the government sector. In 2013, the FBI warned that anonymous hacktivists using Adobe exploits were able to infiltrate agencies such as the U.S. Army, the Department of Energy, and the Department of Health and Human Services in order to steal sensitive information.

“It is a widespread problem that should be addressed,” the 2013 alert stated.

Three years later, hacktivists remain as a top source of government-sector data breaches.

2016-09-27-govbreachactors — Hacktivists are the top trending known actor group associated with government data breaches so far in 2016.

Government agencies across the world have been targeted by hacktivists using well-known attack vectors such as SQL injections, social engineering and stolen credentials.

For example:

Shortly after Anonymous Philippines defaced the COMLEC website in protest of “questions and controversies” surrounding the country’s electoral process, LulzSec Pilipinas posted the entire COMLEC database online. The incident has been described as the largest government-related data breach in history – affecting more than 55 million people.
A hacker supporting Palestine published the names and personal information of FBI and Department of Homeland Security employees. The hacker said he first compromised the email account of a Department of Justice employee. Then he socially engineered access to the portal by pretending to be a new employee. Finally, he was able to find databases of employee information on the DOJ intranet.
The Anonymous #OpAfrica campaign led to several breaches including a one terabyte dump of information from Kenya’s Ministry of Foreign Affairs and International Trade. Kenya’s Ministry of Information and Communications Technology cabinet secretary Joseph Mucheru said the information was stolen due to a phishing attack that duped employees into clicking a link to change their credentials, which provided the hacktivist access to email accounts.
A hacker known as Hanom1960 breached several government agencies – including the Costa Rica Ministry of Culture and Foreign Affairs, the Columbia Ministry of Information Technologies and Communications, and Columbia’s Ministry of National Education – and subsequently leaked information on various government employees. “I see many mistakes in [their IT] systems,” the hacker told news outlets. “It is something that does not concern governments.”

Hacktivists are often characterized as graffiti artists or vandals that simply deface websites and cause other nuisance-level problems for organizations.

Those types of attacks are common, with SurfWatch Labs’ data showing that website downtime and website defaced are the most popular effects of hacktivism; however, the threats from hacktivists go beyond those simple attacks.

According to the report:

“Government officials noted in 2015 that the bulk of the cybercrime-as-a-service economy may be powered by as few as 200 individuals, yet those services put traditional cybercrime tools such as malware, botnets and DDoS attacks at the fingertips of a vastly larger pool of actors. … This trend, along with the large number of federal, state and local government agencies across the world, the global reach of hacktivist actors, and a never-ending series of political causes means that hacktivists have the ability, reach and will to cause harm to government organizations on a level never before seen.”

Hacktivists don’t have the resources of state-sponsored actors, but they are much more open about their attacks — often using public channels to coordinate attacks, gain media attention and recruit other actors to the campaign.

“This chatter can lead to valuable threat intelligence around what types of organizations are being targeted, how those attacks are impacting organizations and, ultimately, what can be done to better protect your organization,” the report concludes. “Monitoring hacktivist chatter and utilizing external cyber threat intelligence, along with your own internal data, can help to paint a full picture of the cyber risks facing your organization, determine what assets are at greatest risk, and inform where cyber defense efforts should be focused in the future.”

For more information, download the full report, Cybercrime Gets Political: Automated Tools and Growing Reach Empowers Hacktivists.

Anonymous Ops Trending, Where are the Other Hacktivists?

Not long ago, several hacktivist groups like the Syrian Electronic Army and Lizard Squad were making headlines on a weekly basis with new hacktivism campaigns and random attacks. While Anonymous has always been the primary source of hacktivism throughout the world, it is interesting to see how these other prominent hacktivist groups’ activity has essentially fallen off the map. Where have all the hacktivists gone?

Taking a look at SurfWatch Labs’ data, Anonymous has been (and will remain) the top trending hacktivist group in 2016, with other factions of Anonymous such as New World Hacking and Ghost Squad Hackers providing additional support to the many Anonymous campaigns currently in existence.

2016-05-23_hacktivistactors — *Anonymous is by far the top trending hacktivist group in 2016. Several other Anonymous-affiliated groups also made the list.*

The members of the Anonymous collective have been busy in 2016. New campaigns are underway, but several operations that were created in previous years have seen the most activity to date.

2016-05-23_hacktivistops — *Throughout each month so far in 2016 an Anonymous campaign has made headlines.*

Government Sector Targeted, Financials Sector Trending

The government sector has been targeted the most by hacktivism in 2016 by a large margin. The data breach of the Philippines Commission on Elections is by far the top trending hacktivism target.

2016-05-23_hacktivism — *The Government sector has been targeted the most by hacktivism in 2016. The Philippines Commission on Elections is the top trending industry target.*

Two Anonymous-affiliated groups were behind the data breach of the Commission on Elections: Anonymous Philippines and Lulzsec Pilipinas. The breach affected 55 million Filipino voters and is considered one of the biggest government data breaches on record.

The Financials sector has also seen a lot of activity over the last month. This is largely due to #OpIcarus, a campaign created by members of Anonymous that is specifically targeting banks.

As the chart illustrates above, several banks are trending, with new banks targeted by #OpIcarus making headlines seemingly on a weekly basis. Between May 13 and 19, a total of 18 banks suffered DDoS attacks at the hands of Anonymous.

Where are the Other Hacktivist Groups?

Anonymous continues to make headlines while other prominent hacktivist groups remain stagnant. Groups like Lizard Squad, the Armada Collective, and the Syrian Electronic Army (SEA) appear to have almost completely ceased all operations. The CyberFacts collected by SurfWatch Labs backs this up, with 2015 being the last time any significant conversation took place among the three groups.

2016-05-23_hacktivistgroups — *The chart above shows negative CyberFacts for SEA, Lizard Squad, and the Armada Collective over the past 18 months.*

Syrian Electronic Army
Once one of the most recognized hacktivist groups, the SEA has seemingly disappeared since the summer of 2015. Most current news surrounding the SEA involves legal and law enforcement content as members of the group are being hunted down for past hacking activities. The SEA has been involved with many cyber-attacks, including the the hijacking of the Associated Press Twitter account and the takeover of Forbes. The group was founded in 2011, with most of their activity occurring during 2013 and 2014.

Lizard Squad
Perhaps one of the most notorious groups linked with DDoS attacks, Lizard Squad made a name for themselves after launching multiple DDoS attacks against the Sony Playstation Network and Xbox Live. The group has engaged in a war with Sony Online Entertainment president John Smedley, leading to bizarre events such as calling in a fake bomb threat to an airline which Smedley was a passenger of and effectively grounding the flight. Lizard Squad has recently made headlines without any effort, as a group of unknown hackers were posing as the hacktivist group in an effort to extort money from U.K. businesses through the threat of a DDoS attack. As for actual current activity from Lizard Squad, Blizzard reported a DDoS attack from the group back in April 2016.

Armada Collective
The Armada collective is the newest hacktivist group out of the three, and it is well-known for its DDoS extortion attacks against online retailers, a method of attack that was first made popular by another hacker group, DD4BC. The group was very active towards the end of 2015, attempting to extort several companies. Much like ransom demands, experts have overwhelmingly warned companies not to give into these attacks. The group went silent in late 2015, although other groups continue to use the group’s name for fake DDoS threats, which unfortunately lead to the group earning over $100,000 for their efforts.

While many people find the threats of hacktivism to be just a nuisance, the damage created from a single attack can have lasting consequences. DDoS attacks — the primary hacktivist weapon of choice — can impact a company through financial losses and damaged brand reputation due to the amount of time the company’s servers are down. In other attacks, sensitive data can be obtained and leaked on the Internet for other criminals to exploit. Hacktivism hasn’t been as prominent in 2016 compared to years past, but the threat posed from these groups remains the same, and companies need to remain diligent in protecting from these threats.