Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


Politically Motivated Attacks Could Force Enterprises To Reshape Defenses

Targeted attacks could happen to any organization for myriad reasons, report says

An emerging wave of politically motivated cyberattacks is reaching critical mass and threatens to redefine the way enterprises build their defenses, according to a report (PDF) that will be published tomorrow.

The report, compiled by well-known botnet researcher Gunter Ollmann of Damballa, offers a comprehensive look at the recent trend toward politically motivated cyberprotests, sometimes called hacktivism. While such organized mass attacks on specific targets are best known for being carried out against rival governments (think Estonia or Georgia) and large companies (think Project Aurora), the new report shows "cyberprotests" can be carried out against any organization, and for myriad reasons.

"These types of attacks focus on all types of topics, and they can be executed by thousands of users or even just a few," Ollmann observes. "They open a much wider door of potential attacks on corporations, and they are increasingly difficult to defend because they don't necessarily involve true criminal behavior, and they could be carried out by your own customers."

The report offers numerous examples of hacktivism in recent years, including the defacement of hundreds of Dutch websites in August 2008 by Islamic protesters over the release of the film Fitna, and last summer's distributed denial-of-service (DDoS) attacks on Iranian government sites by supporters of defeated presidential candidates who claimed irregularities in the voting.

Such attacks can be targeted at any organization for any number of reasons, ranging from their political stances to their treatment of workers, animals, or the environment, Ollmann observes. Some companies have even been targeted by their own customers over such issues as the sale of toys containing lead-based paint. "You might think your organization is too small or that there's no reason why you'd be targeted, but you might be surprised" by cyberprotesters' motivations, he says.

What scares many security professionals about hacktivism is it defies the logic that defines most companies' security strategies: namely, that the attacker's primary goal is to access or steal the company's most sensitive and valuable data. For the past several years, IT organizations have been building defenses against financially motivated criminals who are looking for marketable data, such as customer lists, personal records, or intellectual property. But a politically motivated attack might be designed merely to cause headaches or create embarrassment for the target organization -- which means it could use a much broader spectrum of attack vectors.

"It might be the simple defacement of a website, or it might be hundreds of people trying to overload a single email box with hundreds of messages," Ollmann says. "Potentially, it could be DDoS, defacement, or even malware."

The growing popularity of social networks is making these target cyberprotests easier to organize and control, according to Ollmann. The phrase "opt-in botnet" refers to the ability of willing protesters to put together an organized, targeted attack that operates much like the botnets created by criminals harnessing unprotected "zombie" machines, he says.

"What's different here is that a lot of these attacks are organized right out in the open -- in fact, most of these people want to be seen, just as physical protesters would go out and hold a sit-in or carry signs in front of a building," Ollmann explains. "You can actually see the command-and-control component on Facebook or on a website." Damballa, which monitors the design and creation of botnets by criminals, also is tracking these more public, opt-in botnets.

What worries Ollmann is that there are no established laws or ethics surrounding the emerging class of cyberprotests. "It's hard to say where the lines are," he says. "Most people are willing to send an email to express their political beliefs, but are they willing to send 10 emails? What about 100? Are they willing to install and use a defacement toolkit? The lines between a civil protest and a cybercrime are not very clear."

As hacktivism continues to grow and evolve, IT security departments will have to prepare their defenses at several different levels, Ollmann says. On a technical level, companies should ensure they are prepared to respond to commonly used protester tactics, such as website defacement, DDoS attacks, spam/email campaigns, and perhaps even tactics that exploit common vulnerabilities, such as cross-site scripting.

On a broader scale, companies should probably take more steps to track the things that are being said about them on the Web, Ollmann says. "A lot of companies do this already through tools like Google Alerts, but there may be an opportunity here for other types of services that monitor what's being said in blogs or on social networks," he says.

Companies also should take care that their employees and systems don't become part of these opt-in botnets, Ollmann warns. "Right now, if an individual chooses to take this sort of [political] action, there's not much that law enforcement or the victim organization can do about it," he says. "But if they see that 200 employees inside a single organization are waging a protest, then that gives them a clearer target."

Down the road, it is possible that some companies might want to engage in a sort of counterintelligence effort, infiltrating the protester groups and perhaps attempting to disrupt their activities through disinformation, Ollman says. "That can be difficult because they may take action or move around," he notes. "For now, the best thing is probably just to monitor what they're doing -- be aware of it, and be ready if they're going to take action."

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message. Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
A Startup With NSA Roots Wants Silently Disarming Cyberattacks on the Wire to Become the Norm
Kelly Jackson Higgins, Executive Editor at Dark Reading,  5/11/2021
Cybersecurity: What Is Truly Essential?
Joshua Goldfarb, Director of Product Management at F5,  5/12/2021
3 Cybersecurity Myths to Bust
Etay Maor, Sr. Director Security Strategy at Cato Networks,  5/11/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: Google Maps is taking "interactive" to a whole new level!
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-05-17
Cross Site Scripting (XSS) in emlog v6.0.0 allows remote attackers to execute arbitrary code by adding a crafted script as a link to a new blog post.
PUBLISHED: 2021-05-17
Cross Site Request Forgery (CSRF) in Pluck CMS v4.7.9 allows remote attackers to execute arbitrary code and delete a specific article via the component " /admin.php?action=page."
PUBLISHED: 2021-05-17
Cross Site Request Forgery (CSRF) in Pluck CMS v4.7.9 allows remote attackers to execute arbitrary code and delete specific images via the component " /admin.php?action=images."
PUBLISHED: 2021-05-17
A heap based buffer overflow vulnerability exists in GNU LibreDWG 0.10 via read_2004_section_handles ../../src/decode.c:2637.
PUBLISHED: 2021-05-17
A heap based buffer overflow vulnerability exists in GNU LibreDWG 0.10 via read_2004_section_revhistory ../../src/decode.c:3051.