Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


Politically Motivated Attacks Could Force Enterprises To Reshape Defenses

Targeted attacks could happen to any organization for myriad reasons, report says

An emerging wave of politically motivated cyberattacks is reaching critical mass and threatens to redefine the way enterprises build their defenses, according to a report (PDF) that will be published tomorrow.

The report, compiled by well-known botnet researcher Gunter Ollmann of Damballa, offers a comprehensive look at the recent trend toward politically motivated cyberprotests, sometimes called hacktivism. While such organized mass attacks on specific targets are best known for being carried out against rival governments (think Estonia or Georgia) and large companies (think Project Aurora), the new report shows "cyberprotests" can be carried out against any organization, and for myriad reasons.

"These types of attacks focus on all types of topics, and they can be executed by thousands of users or even just a few," Ollmann observes. "They open a much wider door of potential attacks on corporations, and they are increasingly difficult to defend because they don't necessarily involve true criminal behavior, and they could be carried out by your own customers."

The report offers numerous examples of hacktivism in recent years, including the defacement of hundreds of Dutch websites in August 2008 by Islamic protesters over the release of the film Fitna, and last summer's distributed denial-of-service (DDoS) attacks on Iranian government sites by supporters of defeated presidential candidates who claimed irregularities in the voting.

Such attacks can be targeted at any organization for any number of reasons, ranging from their political stances to their treatment of workers, animals, or the environment, Ollmann observes. Some companies have even been targeted by their own customers over such issues as the sale of toys containing lead-based paint. "You might think your organization is too small or that there's no reason why you'd be targeted, but you might be surprised" by cyberprotesters' motivations, he says.

What scares many security professionals about hacktivism is it defies the logic that defines most companies' security strategies: namely, that the attacker's primary goal is to access or steal the company's most sensitive and valuable data. For the past several years, IT organizations have been building defenses against financially motivated criminals who are looking for marketable data, such as customer lists, personal records, or intellectual property. But a politically motivated attack might be designed merely to cause headaches or create embarrassment for the target organization -- which means it could use a much broader spectrum of attack vectors.

"It might be the simple defacement of a website, or it might be hundreds of people trying to overload a single email box with hundreds of messages," Ollmann says. "Potentially, it could be DDoS, defacement, or even malware."

The growing popularity of social networks is making these target cyberprotests easier to organize and control, according to Ollmann. The phrase "opt-in botnet" refers to the ability of willing protesters to put together an organized, targeted attack that operates much like the botnets created by criminals harnessing unprotected "zombie" machines, he says.

"What's different here is that a lot of these attacks are organized right out in the open -- in fact, most of these people want to be seen, just as physical protesters would go out and hold a sit-in or carry signs in front of a building," Ollmann explains. "You can actually see the command-and-control component on Facebook or on a website." Damballa, which monitors the design and creation of botnets by criminals, also is tracking these more public, opt-in botnets.

What worries Ollmann is that there are no established laws or ethics surrounding the emerging class of cyberprotests. "It's hard to say where the lines are," he says. "Most people are willing to send an email to express their political beliefs, but are they willing to send 10 emails? What about 100? Are they willing to install and use a defacement toolkit? The lines between a civil protest and a cybercrime are not very clear."

As hacktivism continues to grow and evolve, IT security departments will have to prepare their defenses at several different levels, Ollmann says. On a technical level, companies should ensure they are prepared to respond to commonly used protester tactics, such as website defacement, DDoS attacks, spam/email campaigns, and perhaps even tactics that exploit common vulnerabilities, such as cross-site scripting.

On a broader scale, companies should probably take more steps to track the things that are being said about them on the Web, Ollmann says. "A lot of companies do this already through tools like Google Alerts, but there may be an opportunity here for other types of services that monitor what's being said in blogs or on social networks," he says.

Companies also should take care that their employees and systems don't become part of these opt-in botnets, Ollmann warns. "Right now, if an individual chooses to take this sort of [political] action, there's not much that law enforcement or the victim organization can do about it," he says. "But if they see that 200 employees inside a single organization are waging a protest, then that gives them a clearer target."

Down the road, it is possible that some companies might want to engage in a sort of counterintelligence effort, infiltrating the protester groups and perhaps attempting to disrupt their activities through disinformation, Ollman says. "That can be difficult because they may take action or move around," he notes. "For now, the best thing is probably just to monitor what they're doing -- be aware of it, and be ready if they're going to take action."

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message. Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio

Comment  | 
Print  | 
More Insights
Threaded  |  Newest First  |  Oldest First
7 Tips for Choosing Security Metrics That Matter
Ericka Chickowski, Contributing Writer,  10/19/2020
IoT Vulnerability Disclosure Platform Launched
Dark Reading Staff 10/19/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-10-22
Parse Server (npm package parse-server) broadcasts events to all clients without checking if the session token is valid. This allows clients with expired sessions to still receive subscription objects. It is not possible to create subscription objects with invalid session tokens. The issue is not pa...
PUBLISHED: 2020-10-22
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Notes: none.
PUBLISHED: 2020-10-22
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Notes: none.
PUBLISHED: 2020-10-22
An issue was discovered in the Linux kernel through 5.9.1, as used with Xen through 4.14.x. Guest OS users can cause a denial of service (host OS hang) via a high rate of events to dom0, aka CID-e99502f76271.
PUBLISHED: 2020-10-22
An issue was discovered in Xen through 4.14.x allowing x86 PV guest OS users to gain guest OS privileges by modifying kernel memory contents, because invalidation of TLB entries is mishandled during use of an INVLPG-like attack technique.