Check Point Research outlines a new model of hacktivism now trending worldwide. Five characteristics mark today’s form of hacktivism, according to researchers: political ideology, leadership hierarchy, formal recruiting, advanced tools and public relations. CPR gives the hacktivist group Killnet as an example of the latest model, detailing its attacks by country and attack timeline. CPR warns that hacktivism that originates in conflict-related geographies has the potential to scale worldwide.
- Before, hacktivism was mostly focused on few individuals carrying small scale DDoS and defacement attacks
- Now, hacktivism is better organized, structured and sophisticated
- CPR believes the new model of hacktivism began in conflict areas in the Middle East and Eastern Europe and proliferated to other areas during 2022
Check Point Research (CPR) outlines a new model of hacktivism now trending worldwide. The hacktivism of the new model is better organized, structured and sophisticated, compared to the past. Hacktivist groups no longer consist of a few random individuals who carry out small DDoS or defacement attacks on low-tier websites. These are coordinated organizations with distinct characteristics previously unseen.
- Consistent political ideology (manifestos and/or sets of rules)
- Hierarchy of leadership (Smaller groups relay attack orders to “commanders)
- Formal recruitment process (Based on minimum requirements)
- Tools that the groups provide to their members (Advanced tools for notoriety)
- Robust public relations functions (Presences on major websites)
CPR suspects the shift in the hacktivism model began roughly two years ago, with several hacktivist groups like Hackers of Savior, Black Shadow and Moses Staff that focused exclusively on attacking Israel.
CPR believes the Russian-Ukrainian war has proliferated the new model of hacktivism significantly. For example, The IT Army of Ukraine was publicly mobilized by the Ukrainian government to attack Russia. The new hacktivism also saw groups that supported the Russian geopolitical narrative, with groups like Killnet, Xaknet, From Russia with Love (FRwL), NoName057(16), and more.
Case Study: KILLNET, from East to West
In April of this year, the group completely shifted its focus to support Russian geopolitical interests all over the world. The group claimed to have executed more than 550 attacks, between late February and September. Only 45 of them were against Ukraine, less than 10% of the total number of attacks.
Figure 1. Distribution of Killnet attacks by country
Killnet Timeline – high profile events
March: the group executed a DDoS attack on Bradley International Airport in Connecticut (US)
- April: websites belonging to the Romanian Government, such as the Ministry of Defense, Border Police, National Railway Transport Company and a commercial bank, were rendered unreachable for several hours.
- May: massive DDOS attacks were executed against two major EU countries, Germany and Italy
- June: Two very significant waves of attacks were executed against Lithuania and Norway in response to severe geopolitical developments between those countries and Russia
- July: Killnet focused their efforts on Poland and caused several government websites to be unavailable.
- August: Cyber-attacks were deployed on Latvia, Estonia and USA institutions
- September: the group targeted Asia for the first time and focused its efforts on Japan, due to Japan’s support for Ukraine
Read the full report