State-sponsored ‘hacktivist’ activity poised to have a banner year

Though they may have been out of the headlines in recent years, hacktivist groups that operate in alliance with nation-state interests are as active as ever, and the coming year could see attacks reach new heights.

Security vendor Forescout reported that since 2022 it has seen hacktivist groups acting on apparent behalf of government operations and policies, seemingly coordinating their activities within government intelligence agencies.

At the time, however, those activities were largely of the traditional hacktivism nature, things such as site defacements and distributed denial-of-service (DDoS) attacks.

“Two years later, this trend has evolved,” said Forescout. “State-sponsored actors are adopting hacktivist personas to conduct cyberattacks driven by strategic factors, such as enhanced campaign visibility and plausible deniability for the perpetrators.”

In short, hacktivist groups have gone from a convenient front for propaganda operations to a way to create plausible deniability for attacks on critical infrastructure and industrial targets.

In particular, the threat actors are thought to be focusing on attacks against critical utilities operations. Forescout believed that water utilities are the primary target for several hacktivist groups. Other observed operations were focused on markets such as energy providers and manufacturing.

While attacks on these critical infrastructure sources are nothing new, previously they have been directly attributable to groups based within government military and intelligence operations. With hacktivist groups carrying out such attacks, it can be that much harder to point the finger at with absolute certainty.

One big factor in the growing sophistication of hacktivist attacks is the increased availability of attack tools and infrastructure that can support threat actors looking to disrupt critical infrastructure. Once the sole privy of government agencies, it is now possible for privately based threat actors to obtain everything the need to target critical facilities and operations.

Hacktivism or "Faketivism?"

Not surprisingly, many of observed hacktivist threat actors were pretty clearly operating at the behest of Russia. This is largely because in most incidents the stated motivations were the Russian-Ukraine war and the ongoing crisis between Israel and Palestine.

There were also ties to many of the newer hacktivist groups have direct ties to previous campaigns that used the more traditional DDoS and defacement techniques to spread the propaganda interests of the Kremlin.

One newly observed phenomena was something Forescout called “Faketivism.” Rather than simply employ the services of outside hacktivist groups, government cyberwarfare teams are simply fabricating their own groups which pretend to be unaffiliated or even foreign-aligned hacktivist operations.

“Though less commonly discussed than state-sponsored hacktivism, faketivism refers to government agencies or state-affiliated actors that adopt the branding, tactics, and imagery of grassroots hacktivist groups,” Forescout explained.

“These entities operate under the guise of independent hacktivists but are, in reality, directly employed by national governments or state-linked corporations to promote government-aligned narratives and conduct cyber operations.”