Security Bloggers Network Threats & Breaches

Home » Cybersecurity » Threats & Breaches » Analysis of the Top10 Hacktivist Operations

Analysis of the Top10 Hacktivist Operations

by Blueliv Labs on June 22, 2020

Key Points

The most relevant hacktivist operations in the last 12 months were: #OpIceIsis, #OpChile, #OpChildSafety, #OpKillingBay and #OpBeast.
The operation #OpGeorgeFloyd, born after George Floyd was killed by police in Minneapolis in May 2020, amassed 8535 tweets in just three weeks.
Hacktivist attacks generally comprise DDoS attacks, publishing confidential information, website defacements, website redirects, and doxxing.
Topics covered by the most relevant operations are combatting terrorism, socio-political change demands, children’s safety, and defense of animal rights.

Hacktivist operations allow hacktivists to join their efforts to defend a certain cause aligned with their values, to promote a political agenda or social change. In this blog post, we will review the top 10 hacktivist operations during the last 12 months –from May 2019 until May 2020– according to metrics extracted from Twitter. Blueliv has measured the popularity of the different #ops –shorthand for “operation” commonly used by hacktivists— on Twitter, and focused on the hashtags that are related to hacktivist operations.

Twitter is a social network widely used by hacktivists because it allows them to easily share their political and social ideas as well as their operations’ achievements to a worldwide audience with the use of hashtags. Hacktivists often want to spread their ideas and expand the activism movement. However, Twitter frequently bans hacktivist accounts for breaking its Terms of Service (ToS), which complicates the efforts of researchers to track operations and hacktivist teams. In March 2019, Twitter published a policy banning the distribution of hacked material.

The top 10 hacktivist operations of the last 12 months were the following:

Rank	Operation	Tweets
1	#OpIceIsis	74734
2	#OpChile	59338
3	#OpChildSafety	46315
4	#OpKillingBay	34551
5	#OpBeast	32075
6	#OpDeathEaters	25419
7	#OpSeaWorld	18058
8	#OpWhales	18008
9	#OpPedoHunt	17082
10	#OpChileDesperto	15248

During the last year, hacktivist groups continued to rely on the same tactics, techniques, and procedures (TTPs) that they have been using since 2012, which typically consists of using open-source tools to execute DDoS attacks, conducting web defacement attacks, and finding vulnerable database to steal information from. Quite often, these attacks are not successful as cybersecurity has gotten far more mature since the heyday of hacktivism in 2012, especially in big companies and government networks. Additionally, hacktivists groups have lost a lot of media traction since mid-2016.

Sponsorships Available

Hacktivism search trends

Figure 1. Google Trends chart showing the number of searches for “hacktivism” and “hacktivist” since 2004. The interest in these terms has dropped since June 2016.

Several hypotheses can explain why hacktivist activity has been falling since 2016. There has been a progressive decentralization; hacktivist groups are now often a disorganized collection of individuals without a shared ideology, concrete goals, or an established methodology. Furthermore, episodes of hacktivists disclosing the identities of their comrades to law enforcement and the discovery of undercover agents have generated an atmosphere of mistrust where coordinated and planned attacks may feel too risky.

Since George Floyd was killed by police in Minneapolis on May 25, 2020, hacktivists have quickly reacted in support the Black Lives Matter movement. We analyzed the hacktivist operation #OpGeorgeFloyd, and the media has reported on DDoS attacks against Minnesota’s State Portal, the Austin Police Department, and banks in Minnesota. There have also been web defacements, doxxing of police officers witnessed carrying out excessive violence against protesters, and a database leaked from the University of Washington. The operation has amassed 8535 tweets in just three weeks.

Hacktivists now are seeking out ways of mobilizing others to join their ranks. For instance, we have observed that the Anonymous hacktivism collective uses the hashtag #OpNewBlood to encourage people to join Anonymous. The group provides free hacking training and operational security (OPSEC) advice on Twitter and specialized chatrooms. Additionally, supporters with little to no skills can still engage in Twitter Storms, defined as a crowdsourced action designed to craft tweets using specific hashtags and to create a huge wave of attention on a certain topic elevating it to Twitter’s trending hashtags.

While monitoring hacktivism activity is also important to consider some nation-state sponsored threat actors may masquerade as hacktivists as a false flag, such as the Syrian Electronic Army or Guccifer 2.0, which has ties to the Russian GRU.

Combatting terrorism

OpIceISIS is a hacktivist operation active since September 2014 that seeks to diminish the influence of Daesh on social media. Its participants mainly concentrate their efforts on reporting accounts related to Daesh recruitment or propaganda in hopes of getting the accounts banned. Controlling Section is an initiative (@CtrlSec) that simplifies the task of identifying pro-Daesh accounts and shares these accounts to be blocked. Massive reporting of these accounts increases the chances of Twitter moderators deleting these accounts with urgency. According to the statistics shared on their official website, the Controlling Section project contributed to the suspension of 80,944 accounts in 2019, which constitutes 99.91% of the accounts the collective reported to Twitter. Controlling Section is still active in publishing new Daesh accounts to report every day.

Additionally, we have seen accounts publishing personal information (doxxing) of Daesh members as well as coordinating DDoS attacks or defacements of pro-Daesh websites. In this operation, some hacktivists claimed that Cloudflare was protecting the Daesh hosting pro-Daesh websites. Hacktivists also suspect that intelligence agencies like CIA and Mossad could be running pro-ISIS accounts to gather intel. As an interesting aside, there was also the ISISTrollingDay where hacktivists shared memes as part of the operation, such as mocking photos of Daesh members with ducks or goats in their faces. Furthermore, since OpIceISIS started, law enforcement agencies have used information gathered by hacktivist groups like GhostSec in counterterrorism operations.

Although OpIceISIS was the most prevalent hacktivist operation last year, the activity levels associated with this operation were significantly below what was observed in 2018. The golden age of the operation can be dated between April 2015 and December 2017, with a huge spike of activity in November 2015. The operation’s greatest day of popularity was November 17, 2015, which 8,917 tweets authored using the associated hashtag.

Mentions of OpIceISIS operations

Figure 2. Evolution of #OpIceISIS Twitter mentions.

In March 2019, the Syrian Democratic Forces announced that Daesh had lost its final stronghold in Syria, so it will be unlikely to see new spikes of activity in this operation or cyberattacks against Daesh.

OpChile

The OpChile operation started in October 2019, is the second most active operation of the last 12 months. Hacktivists also use the hashtag OpChileDespertó to refer to this operation. We have observed multiple DDoS attacks, web defacements, and cross-site scripting (XSS) attacks against Chilean websites, mainly related to governmental institutions. This hacktivist operation aims to support the protests on the Chilean streets that started in October 2019 with a huge student demonstration against the price hike in the subway fare. Very quickly, the demonstrations expanded to include various grievances against the politics of the government. The Chilean government responded by declaring a state of emergency and creating a task force to try to satisfy some of the requests and pacify the country. Nevertheless, the protesters were not satisfied with the proposals from the government, and the demonstrations and hacktivist activity continue to this day.

OpChile operation mentions

Figure 3. Evolution of OpChile and OpChileDespertó Twitter mentions.

A report from the Chilean CSIRT (Computer Security Incident Response Team) stated that the worst attacks occurred between October 19 and October 25, 2019 with a 30% increase in the attacks. The report detailed defacements against Municipalidad de Macul (Municipality of Macul), Municipalidad de San Nicolás (Municipality of San Nicolás), SENAME (Servicio Nacional de Menores; National Minors’ Service), and the DTPM ( Dirección de Transporte Público Metropolitano; Metropolitan Public Transportation Directorate); DDoS attacks against JUNAEB (Junta Nacional de Auxilio Escolar y Becas; National Board of School Aid and Scholarships), Radio BioBío, and Senado de la República (Senate of the Republic); and the exfiltration of a Carabineros de Chile (Carabiniers of Chile) database with (dubbed #pacoleaks by hacktivists).

In December 2019, Anonymous stole and leaked 2 GB of data from the Chilean Army, with documents dated between 2015 and 2019 related to intelligence operations, finance, and international relations.

Anonymous hacked the Chilean Army

Figure 4. Tweet attributing the Chilean Army hack to the Anonymous group as part of #OpChile operation.

Furthermore, during Christmas OpChile featured a special campaign called OpNavidad, where Anonymous hacktivists leaked data stolen from the Policia de Investigaciones de Chile (PDI), Metro de Santiago, and the political party Unión Demócrata Independiente UDI, among others. It is interesting to highlight that the website of the PDI was defaced to show the president of Chile Sebastian Piñera in a list of the most wanted criminals.

PDI defacement during #OpNavidad operation

Figure 5. Web defacement attack publicized by a Chilean newspaper during the #OpNavidad campaign.

In March 2020, hacktivists published new lists of targets on Pastebin –web tool used to share plain-text content anonymously– and leaked credentials from the several governmental institutions such as the Ministry of Agriculture, and the Ministry of Education. According to Entel security bulletin, the operation mainly targets governmental institutions, critical infrastructure, healthcare, banking, and multinationals established in the country.

In Defense of Children’s Rights

OpChildSafety was the third most active operation with more than 44k mentions tracked by Blueliv on social media. This operation aims to take down pro-pedophilia social media accounts and websites. Hacktivists engaged in this operation often publish lists of targets to promote collective actions against them such as requesting the take-down of the account/website through filing abuse forms, performing DDoS attacks, conducting web defacements, or doxxing targets.

Twitter account hacked a child porn website and posted a Pastebin link to the hacked database.

Figure 6. Twitter account hacked a child porn website and posted a Pastebin link to the hacked database.

Other relevant hacktivist operations with the same goals are OpDeathEaters, with the sixth position in the ranking, and OpPedoHunt, which was much less active in 2019-2020 compared to previous years.

Additionally, we observed hacktivists organizing themselves in Telegram channels and group chats to coordinate their efforts.

According to our telemetry, these operations gained traction at the end of 2014, but emerged some months before. Over the years, OpDeathEaters was the most mentioned, however, since OpChildSafety was born in November 2017, the three operations share similar numbers.

Evolution of #OpPedoHunt, #OpDeathEaters, and #OpChileSafety Twitter mentions.

Figure 7. Evolution of #OpPedoHunt, #OpDeathEaters, and #OpChileSafety Twitter mentions.

In Defense of Animal Rights

The fourth most active operation was OpKillingBay, an operation against the slaughter of cetaceans in the Faroe Islands and Taiji, a Japanese town. The operation started in November 2013, but it wasn’t very active until a year later. The golden age of this operation was between August 2014 and March 2017. This operation runs in parallel with other hacktivist operations in defense of animal rights; OpSeaWorld (7th in the top 10), a global hacktivism operation against the abuse of animals in captivity, while OpWhales, an operation against the whales’ hunt in Japan, Iceland, and Norway, places 8th in the rankings.

During the last 12 months, we tracked a lot of activist messages speaking out against animal abuse on social networks, but the cyberattacks almost stopped. In March 2019, however, the Twitter user @JazzyDolphin published a list of 200 leaked email addresses of 15 Norwegian companies connected to the international fishing industry. The account asked other activists to spam these email addresses using the hashtag #opwhales. We also observed discussions between Anonymous hacktivists involved in these operations accusing each other of revealing their identity to law enforcement agencies. This lack of trust may be one of the reasons why these operations are relatively dormant.

Evolution of #OpKillingBay, #OpSeaWorld, #OpWhales, and #OpBeast Twitter mentions.

Figure 8. Evolution of #OpKillingBay, #OpSeaWorld, #OpWhales, and #OpBeast Twitter mentions.

Another operation in this category is OpBeast, the fifth most active operation in the list. OpBeast was born after the success of OpNullDenmark, which ended in April 2015 with the banning of animal bestiality in Denmark. According to a website about OpBeast, both operations were founded by Priscilla Lakerveld, an animal activist. OpBeast is a global operation to request politicians to ban bestiality in countries where it is not illegal.

Conclusion

As far as hacktivism goes, higher activity levels on social networks do not necessarily translate to a higher amount of actual cyberattacks. Some hacktivist operations have a lot of activists supporting them, but a very small core of members actually carrying out cyberattacks. We can also assess that the degree of collaboration is likely decreasing year after year and that the most relevant attacks happen by unexpected individuals or groups that surge without previous activity and disappear very quickly. As a result, it is important to remain vigilant and be aware of new groups and individuals advocating for hacktivist causes. It may be most prudent to prioritize the monitoring of expressions and vocabulary typical of these groups in order to guide us to the discovery of new attacks instead of constantly monitoring previously identified groups or accounts that can otherwise be considered to be on the decline.

As noted, the main hacktivist operations are related to the defense of civil rights and fighting against child and animal abuse, terrorism, and hate crimes. Nonetheless, the techniques used to achieve this laudable objective are not always legal as often hacktivists are involved in the divulging of personally identifiable information (PII), stealing not-public information, or attacking websites and servers. Blueliv assesses that the prosecution of hacktivists has likely strongly depleted the number of individuals willing to risk their freedom as more and more hacktivists and whistleblowers have been imprisoned or forced to live in exile.