Throughout 2024 hacktivist activity evolved in many ways. There was a heightened collaboration between hacktivist groups and a notable reliance on the use of ransomware to enable destructive operations. In addition, there was an expansion in targeting related to significant geopolitical events, such as elections and the ongoing conflicts in Gaza and Ukraine. These developments illustrate the unique and continued danger posed by hacktivist groups. They also shed light on new tactics, techniques, and procedures that increasingly blur the lines between hacktivists and other threat actor typologies, be it advanced persistent threats or financially motivated cybercrime groups.
Concurrent to these advancements in hacktivist operations, there has also been a clear response in law enforcement efforts targeting hacktivists. The United States recently indicted the alleged operators of Anonymous Sudan and announced sanctions against Cyber Army of Russia Reborn members, whilst Spain arrested three alleged members of the NoName057(16) hacker group. Hacktivism is shifting from both an offensive and defensive perspective, emphasising the constant and changing threat it poses to businesses and governments. Staying abreast of hacktivist activity, both via proprietary threat intelligence feeds and open-source intelligence, is therefore critical in ensuring any organisation’s ongoing security posture. To help fulfil this requirement of continual monitoring, this blog post will present an overview of how hacktivism has continually developed throughout 2024, elaborating upon key trends and their potential implications.
Ransomware, hacktivism and you
One notable development in hacktivist activities has been an increasing number of hacktivists leveraging ransomware for destructive operations and financial gain. In February 2024, Stormous and GhostSec, two members of the ‘Five Families’ hacktivist collective, announced a joint ransomware-as-a-service (RaaS) collaboration, dubbed STMX_Ghostlocker. The groups engaged in coordinated double-extortion ransomware attacks, targeting critical business verticals in multiple countries across the world. These attacks did not diminish their ongoing political objectives, with GhostSec continuing to target Israeli critical infrastructure and technology companies throughout the period. 2024 also saw several other hacktivist entities incorporating ransomware attacks into their arsenal or announcing RaaS operations, such as Head Mare, Twelve, KillSec, DragonForce, NullBulge, AzzaSec, and CyberVolk.
Two motivations appear to be prevalent when considering the use of ransomware by hacktivists, one of which is the need for long-term financial stability. If hacktivist groups want to maintain and expand their operations, they typically need to adopt a form of revenue generation. In May 2024, GhostSec announced that they intended to return strictly to hacktivist activity after gathering sufficient funds from their ransomware operations. The group claimed that the funds would be used to support other enterprises in their operation, including a new project designed to assist prospective hackers in developing their skills, thus demonstrating the direct relationship between operational expansion and ransomware usage.
Separately, ransomware provides a means through which hacktivists can coordinate increasingly destructive attacks, damaging businesses with data leaks, downtime and the encryption of critical assets. Compared to other disruptive methods favoured by hacktivists, such as distributed denial-of-service (DDoS) attacks, ransomware is capable of causing more tangible and lasting damage, which can also lead to increased notoriety and reputation. The Twelve hacktivist group is an example of a threat actor that leverages ransomware for this purpose, notably conducting attacks without demanding ransoms, instead focusing solely on encrypting data and deleting critical assets, thereby ensuring maximum damage.
Another key reason ransomware has been commonly adopted is due to its general accessibility. The proliferation of leaked builders and open-source ransomware strains, such as LockBit, Chaos, and Babuk, have increased the ease at which hacktivists can execute their attacks. Specifically, Twelve, Head Mare, CyberVolk, and Ikaruz Red Team have all been observed using publicly available versions of LockBit, among other ransomware strains, in their attacks.
The blurring lines of threat actor typologies
The trend of more hacktivist groups incorporating ransomware into their toolsets has also been complimented by several notable collaborations between ransomware and hacktivist entities.
SentinelOne researchers observed CyberVolk collaborating with and promoting various ransomware groups, including DoubleFace, HexaLocker, and Parano ransomware. Analyst 1 researchers also noted potential collaboration between the RansomHouse and Dark Angels ransomware groups and the hacktivist groups Snatch and Stormous, assessing that the actors could be jointly engaging in hybridised ransomware and hacktivist activities. This collaboration emphasises the interconnected nature of the cybercrime landscape, where different types of threat actors often overlap in their activities, targeting and communities.
The line between hacktivism and other types of malicious cyber activity also becomes increasingly blurred when considering the geopolitical context in which hacktivist activities occur. Many of the actors that engage in both hacktivism and ransomware activities, such as RansomHouse, Snatch, and Stormous, all exhibit traits suggesting a broader political alignment with Russia. The former cybersecurity chief of Ukraine’s security services, Illia Vitiuk, has also claimed that most pro-Russian hacktivist groups are employed as fronts for government agencies. Purported hacktivist activity in support of Iran has similarly been assessed to be a veil for state-sponsored activity, with Check Point researchers stating that the threat actor Void Manticore has executed attacks against Albania and Israel under various hacktivist personas, including ‘Homeland Justice’ and ‘Karma for Israel’. These examples demonstrate the inherent complexity in how we define and group certain types of cyber activity, whilst also showing how state influence operations can potentially masquerade as hacktivism.
This complexity is further emphasised by instances in which state-sponsored activity and hacktivism have operated in concert. Such a phenomenon was observed on April 13th, 2024, when the Handala hacker group claimed an attack on Israel’s radar systems prior to Iran conducting a missile attack against Israel. On the same day, the Islamic Revolutionary Guard Corps claimed responsibility for an attack on Israeli websites that reportedly caused power outages in several cities, with the Cyber Avengers hacktivist group also assessed to have been potentially involved in these attacks.
Hacktivism in the year of elections
Various geopolitical events throughout 2024, both ongoing and new, have prompted hacktivist calls to action, from wars to conferences and acts of diplomacy. Electoral processes and infrastructure in particular faced heavy targeting due to the sheer volume of elections taking place, with over 100 occurring in at least 64 countries. In the run-up to the 2024 US presidential election, the Cybersecurity & Infrastructure Security Agency (CISA) issued a warning that DDoS attacks conducted by hacktivists could hinder public access to election information. Whilst CISA maintained that the overall security and integrity of the US election would not be compromised, such attacks could have still prevented voters from accessing information on where and how to vote, online election services and unofficial election results.
The potential for hacktivist activity to cause tangible damage to voter resources is something that did indeed actualise in various attacks throughout the year. In June 2024, Cloudflare researchers identified DDoS attacks that targeted three Dutch political websites. The attacks, which were claimed by the pro-Russian hacker group, HackNeT, coincided with the first day of European parliament elections. Multiple other pro-Russian groups were observed announcing plans to disrupt European Parliament elections, such as NoName057(16), People’s CyberArmy, Cyberdragon, CoupTeam, Root@kali, Usersec, 22C, and IAMKILLMILK. In a separate incident, both Russian Cyber Army and NoName057(16) were identified using the DDoSia botnet to target Japanese government, political and social organisations during the start of Japan’s 12-day House of Representatives election campaign.
In some cases, disruptive hacktivist activity was conducted after elections had taken place, often to express dissatisfaction at the election’s outcome. This was the case in Venezuela, following the controversial re-election of Nicolas Maduro. Members of the Anonymous collective, alongside other hacktivist groups, rallied under the banner of the ‘#OpVenezuela’ campaign, which resulted in alleged DDoS attacks against 45 government websites, as well as hacks into several of them. Following Donald Trump’s second election victory in the United States, there is a similar concern that hacktivists will increasingly target the US government out of feelings of frustration and anger directed towards the forthcoming Trump administration. In interviews with the Daily Dot, some anonymous hackers assess that hacktivist activity targeting the Trump administration is likely to intensify in the years to come, stemming from a desire to ‘fight back’ against perceived injustice. Such activity would follow in the footsteps of other left-wing hacktivist actors such as SiegedSec, who was previously known for targeting conservative political entities, including The Heritage Foundation.
Conflicts and collateral targets
Hacktivist activity related to the ongoing conflicts in Ukraine and Gaza showed no signs of ceasing in 2024. Instead, this activity appeared to impact an increasingly diverse target-set, suggesting that hacktivists are taking a more widespread view of what they consider legitimate targets for their cause. This was apparent with pro-Russian hacktivism, with attacks not only continuing to target Ukraine and their NATO allies but also expanding to damage countries that were perceived to harbour ‘anti-Russian’ sentiment or have made specific policy decisions in support of Ukraine. Russian Cyber Army Team and NoName057(16)’s aforementioned campaign targeting Japan was indicative of this, with the attacks occurring specifically due to Russian concerns over Japan’s calls for increased participation in US-led military alliances. Attacks by NoName057(16) targeting Moldova were also observed, reportedly motivated by Moldova’s alleged Russophobia. Pro-Palestinian hacktivism displayed a similarly judicious view in targeting, with both Cyprus and Singapore experiencing an intensified number of attacks due to their perceived support of Israel.
Whilst this is not an entirely new trend, it indicates hacktivism’s global and continued impact. The global battleground of hacktivism, as well as the interconnectedness of online cybercrime communities, has also led to instances of pro-Russian and pro-Palestinian hacktivism overlapping. This was observed in a campaign that recently targeted Australia in November 2024, with both pro-Russian and pro-Palestine hacktivists, motivated by Australia’s perceived support of both Israel and Ukraine, responsible for over 60 DDoS attacks targeting 39 websites that belonged to various Australian institutions. This is a prime example of how hacktivist causes often overlap, sometimes fuelled by broad anti-Western sentiments or shared cultural and sociopolitical viewpoints.
Such political similarities between ostensibly differing hacktivist causes have also resulted in the emergence of several new hacktivist alliances and collectives emerging in 2024, raising concerns about the increasing scale, complexity and coordination of hacktivist campaigns. The Holy League hacktivist alliance, which first emerged in July 2024, is illustrative of this, with the group reportedly motivated by general pro-Palestinian and anti-Western beliefs and collaborating to launch attacks against Western nations, India and countries backing Ukraine and Israel.
Conclusion: A 2024 retrospective of hacktivism
Hacktivist activity has both developed and grown more complex in recent years, with activities observed throughout 2024 only demonstrating that hacktivist groups will continue to be a significant security concern. In particular, the increasing suffusion of state-sponsored activity, hacktivism and financially motivated cybercrime which demonstrates how complex the cybercrime ecosystem is and how hacktivism is constantly evolving in relation to it. This overlap between differing types of activity demonstrates the need to have a full picture of both the geopolitical landscape and common threat actor trends when it comes to researching hacktivist activity.
To learn more about how Silobreaker can help your organisation stay on top of such ongoing and emerging threats, get in touch here.
