Hacktivists: Liars and Morons

-

Welcome to the world of hacktivism, where technology and activism collide. Verifying and researching hacktivist claims can be a challenging and time-consuming endeavour. The sheer volume of claims made by various hacktivist groups and individuals can be overwhelming. With numerous events occurring simultaneously, resources can be strained when attempting to fact-check each claim thoroughly. 

Hacktivist activities can involve digital intrusions such as website defacements or data theft. These intrusions may leave limited residual forensic evidence. However, these digital artifacts are often ephemeral and are rarely shared publicly for cross examination. DDoS attacks can be even harder to verify as a third-party without access to the website or infrastructure's logs. This lack of transparency makes it challenging to confirm the authenticity and scope of many hacktivist actions. 

This difficulty in promptly verifying and debunking claims can lead to misinformation spreading unchecked. By the time the truth is revealed, the initial narrative might have gained traction, causing confusion and distrust, further complicating the landscape of online activism and its perceived impact.

UK NCSC warning

In April 2023, the UK National Cyber Security Center (NCSC) issued an alert over “a new class of Russian cyber adversary” that has emerged. These adversaries are often not under “formal state control” and often focus on DDoS attacks, website defacements, and/or the spread of misinformation in support of the Russian invasion or Russia’s perceived interests. The NCSC also warned that some desire to achieve a more disruptive and destructive impact against western critical national infrastructure (CNI), including the UK. 

Due to the UK NCSC’s warning, alongside advisories from other authorities, monitoring these unpredictable cyber nuisances is still ongoing for many cyber threat intelligence (CTI) teams. However, these adversaries are hard to take seriously due to some of the examples and case studies shared in this blog. 

Omg! Cyber Cat hacked the UK Hydrographic Office!!

Around 11am on 27 July 2023, the UK Hydrographic Office tweeted that they were investigating reported rumours of a cyber incident. Before 4pm that same day, the UK Hydrographic Office tweeted again that there was no indications of a breach or compromise. So what happened?

Earlier that day, one of these pro-Russian hacktivist groups that call themselves “Cyber Cat” shared to their public Telegram channel that they had compromised the UK Hydrographic Office using “social engineering” and had taken control of their server. They also attempted to ransom the UK Hydrographic Office for “2BTC” for the data (approx. £45,000). This message was promptly amplified by an affiliated hacktivist group’s Telegram channel called “Net Worker Alliance”. 

Figure 1: UK Hydrographic Office allegedly “compromised” by Cyber Cat

However, security researcher @UK_Daniel_Card managed to correctly identify that this was not a hack or compromise or anything of the sort. All the Cyber Cat had done was go to the UK Hydrographic Office’s website and login to their public FTP server.

Figure 2: UK Hydrographic Office public FTP server

Oh no! The Net Worker Alliance knocked Charles de Gaulle Airport offline!!

On to the Net Worker Alliance. This group of pro-Russian hacktivists have also made some funny mistakes of their own. On 29 July and 3 August 2023, the Telegram channel of the group claimed to have launched a DDoS attack to knock the website of Charles de Gaulle airport offline. Not once but twice! 

Figure 3: Net Worker Alliance alleges they caused an outage for CDG airport.

The funniest thing is though, that if you go to the website that Net Worker Alliance you’ll quickly realize that this isn’t the CDG airport’s website at all. The website states clearly that it is Not Official and not affiliated with the airport or French government. It is essentially a fan site created for the convenience of tourists and the like. Way to go hackers!

The real CDG airport website is located at https://www.parisaeroport.fr/en/charles-de-gaulle-airport. In March 2023, this site was also DDoSed by Anonymous Sudan, who managed to get the domain right that time.

Figure 4: Anonymous Sudan DDoSes CDG airport website.

No way! Anonymous Sudan stole 30 million Microsoft accounts!!

Despite their impressive abilities to get a URL right, Anonymous Sudan has also made some outlandish claims. While Microsoft did admit that Anonymous Sudan was able to DDoS OneDrive, Outlook, and the Azure Portal offline, they denied that 30 million credentials were stolen.

Figure 5: Anonymous Sudan claiming to have stolen 30 million Microsoft credentials.

This is interesting because while they had finally caught the world’s attention with their frankly unbelievable successful attack on Microsoft’s Cloud services, they still managed to immediately dismantle the credibility they had just earned and continue to look foolish.

WOW! NB65 hacked Kaspersky!!

The Russian invasion of Ukraine has undoubtedly given birth to the largest increase of hacktivist groups emerging in recent years, and perhaps ever. The ‘cyber war’ going on between pro-Russian and pro-Ukrainian hacktivists has been quite entertaining for CTI analysts. Some pro-Ukraine hacktivists pulled off some legendary hacks, like hijacking Russian TV channels to play anti-Putin and anti-War messages or hacking Russian electric vehicle (EV) charging stations to say ‘Putin is a d***head’ on them.

Network Battalion 65 (NB65) is known for attacking Russian companies and performing classical hack-and-leak operations typical for hacktivists. On 9 March 2022, the group hinted that they had compromised Kaspersky’s network and stolen their source code. 

Figure 6: NB65 claiming to have hacked Kaspersky. 

Then on 10 March 2022, the NB65 shared their leak announcement and in it was an Tor URL hosting the “leaked source code” they claimed they stole from Kaspersky.

Figure 7: NB65 data leak announcement for Kaspersky’s code.

Security researchers were quick to point out that the data that was “stolen” by NB65 was simply taken from a publicly accessible directory on Kaspersky’s own website.

Figure 8: NB65 data leak versus Kaspersky’s website.

Once again, another hacktivist exaggerated their claims. This incident particularly caught a lot of attention because it was soon after the February 2022 invasion of Ukraine had just kicked off and various hacktivists were ramping up their attacks on Russian organizations throughout March 2022. These outlandish claims are then shared across social media by researchers who sometimes do little to verify or dispute what these groups allege but amplify and spread their messages anyways.

The State of Hacktivism

From the three case studies laid out above, CTI researchers should continue to remain highly sceptical of any claims put forward by these hacktivist groups. These threat actors are either too technically inept to realize what they’ve “hacked” is nothing of significance (the morons) or they are intentionally exaggerating their claims for clicks and shares to gain influence and notoriety online (the liars).

At the 2022 VirusBulletin conference, Blake Djavaherian shared an excellent paper on The Realities of Hacktivism in the 2020s. It covered (in a lot more depth than this blog) some of the causes of the hacktivist phenomena that we saw in the build-up to the Russia-Ukraine war, as well as the current landscape and its trends. For more information on hacktivist groups in general, I certainly recommend giving it a read if this blog got you interested in the topic. The rabbit hole of hacktivism goes a lot deeper than this!

Popular posts from this blog

Raspberry Robin: A global USB malware campaign providing access to ransomware operators

-
Image
Logo credit: RedCanary Ever since it first appeared in late 2021, the Raspberry Robin malware campaign has been propagating globally. A number of threat intelligence reports by vendors such as RedCanary (who named it) and Microsoft (who track it as DEV-0856/Storm-0856) have covered the malware campaign in great detail.  In fact, the list of blogs I do recommend to read to catch up on this threat are as follows: https://redcanary.com/blog/raspberry-robin https://www.microsoft.com/en-us/security/blog/2022/10/27/raspberry-robin-worm-part-of-larger-ecosystem-facilitating-pre-ransomware-activity https://blog.sekoia.io/raspberry-robins-botnet-second-life/ https://decoded.avast.io/janvojtesek/raspberry-robins-roshtyak-a-little-lesson-in-trickery/ https://research.checkpoint.com/2023/raspberry-robin-anti-evasion-how-to-exploit-analysis/ https://securityintelligence.com/posts/raspberry-robin-worm-dridex-malware/ https://blogs.cisco.com/security/raspberry-robin-highly-evasive-worm-spreads-over-e
Read more

Lessons from the iSOON Leaks

-
Image
  Introduction A Chinese Ministry of Public Security (MPS) contractor called  iSOON (also known as Anxun Information) that  specializes in network penetration research and related services has had its data leaked to GitHub. Based on the level of detail, leaked chat logs, amount of data, and corroboration from overlaps indicators of compromise (IOCs), there is a high level of confidence it is legit. Preliminary findings from less than one week since the leak revealed that it contains unprecedented insights into how the Chinese MPS operates by using Chinese commercial surveillance vendors and what their technical capabilities are. The Chinese MPS is China’s internal security service that primarily focuses on  internal and border security, counter-terrorism, surveillance. The MPS is comparable to the  Russian FSB, the US DHS or the UK’s MI5. The most interesting findings have come from iSOON’s product whitepapers and confidential slide deck presentations given to their MPS clients. About
Read more

The Ransomware Tool Matrix

-
Image
Introduction Ransomware attacks are becoming increasingly damaging, but one thing remains consistent: the tools these cybercriminals rely on. The Ransomware Tool Matrix is a comprehensive resource that sheds light on the tactics, techniques, and procedures (TTPs) commonly used by ransomware and extortionist gangs. This repository provides defenders with actionable intelligence on the tools frequently leveraged by adversaries, thanks to the insights shared publicly by the US Cybersecurity and Infrastructure Security Agency (CISA)'s #StopRansomware advisories and The DFIR Report's publications, among others. This repository offers straightforward insights from compiled open source intelligence (OSINT) research that can be directly applied to threat hunting, detection engineering, and incident response operations. Project Background As defenders, we can turn the tables by exploiting a crucial flaw committed by ransomware gangs: tool reuse. Many ransomware gangs repeatedly rely on
Read more