Politically Motivated Attacks Could Force Enterprises To Reshape Defenses

An emerging wave of politically motivated cyberattacks is reaching critical mass and threatens to redefine the way enterprises build their defenses, according to a report (PDF) that will be published tomorrow.

The report, compiled by well-known botnet researcher Gunter Ollmann of Damballa, offers a comprehensive look at the recent trend toward politically motivated cyberprotests, sometimes called hacktivism. While such organized mass attacks on specific targets are best known for being carried out against rival governments (think Estonia or Georgia) and large companies (think Project Aurora), the new report shows "cyberprotests" can be carried out against any organization, and for myriad reasons.

"These types of attacks focus on all types of topics, and they can be executed by thousands of users or even just a few," Ollmann observes. "They open a much wider door of potential attacks on corporations, and they are increasingly difficult to defend because they don't necessarily involve true criminal behavior, and they could be carried out by your own customers."

The report offers numerous examples of hacktivism in recent years, including the defacement of hundreds of Dutch websites in August 2008 by Islamic protesters over the release of the film Fitna, and last summer's distributed denial-of-service (DDoS) attacks on Iranian government sites by supporters of defeated presidential candidates who claimed irregularities in the voting.

Such attacks can be targeted at any organization for any number of reasons, ranging from their political stances to their treatment of workers, animals, or the environment, Ollmann observes. Some companies have even been targeted by their own customers over such issues as the sale of toys containing lead-based paint. "You might think your organization is too small or that there's no reason why you'd be targeted, but you might be surprised" by cyberprotesters' motivations, he says.

What scares many security professionals about hacktivism is it defies the logic that defines most companies' security strategies: namely, that the attacker's primary goal is to access or steal the company's most sensitive and valuable data. For the past several years, IT organizations have been building defenses against financially motivated criminals who are looking for marketable data, such as customer lists, personal records, or intellectual property. But a politically motivated attack might be designed merely to cause headaches or create embarrassment for the target organization -- which means it could use a much broader spectrum of attack vectors.

"It might be the simple defacement of a website, or it might be hundreds of people trying to overload a single email box with hundreds of messages," Ollmann says. "Potentially, it could be DDoS, defacement, or even malware."

The growing popularity of social networks is making these target cyberprotests easier to organize and control, according to Ollmann. The phrase "opt-in botnet" refers to the ability of willing protesters to put together an organized, targeted attack that operates much like the botnets created by criminals harnessing unprotected "zombie" machines, he says.

"What's different here is that a lot of these attacks are organized right out in the open -- in fact, most of these people want to be seen, just as physical protesters would go out and hold a sit-in or carry signs in front of a building," Ollmann explains. "You can actually see the command-and-control component on Facebook or on a website." Damballa, which monitors the design and creation of botnets by criminals, also is tracking these more public, opt-in botnets.

What worries Ollmann is that there are no established laws or ethics surrounding the emerging class of cyberprotests. "It's hard to say where the lines are," he says. "Most people are willing to send an email to express their political beliefs, but are they willing to send 10 emails? What about 100? Are they willing to install and use a defacement toolkit? The lines between a civil protest and a cybercrime are not very clear."

As hacktivism continues to grow and evolve, IT security departments will have to prepare their defenses at several different levels, Ollmann says. On a technical level, companies should ensure they are prepared to respond to commonly used protester tactics, such as website defacement, DDoS attacks, spam/email campaigns, and perhaps even tactics that exploit common vulnerabilities, such as cross-site scripting.

On a broader scale, companies should probably take more steps to track the things that are being said about them on the Web, Ollmann says. "A lot of companies do this already through tools like Google Alerts, but there may be an opportunity here for other types of services that monitor what's being said in blogs or on social networks," he says.

Companies also should take care that their employees and systems don't become part of these opt-in botnets, Ollmann warns. "Right now, if an individual chooses to take this sort of [political] action, there's not much that law enforcement or the victim organization can do about it," he says. "But if they see that 200 employees inside a single organization are waging a protest, then that gives them a clearer target."

Down the road, it is possible that some companies might want to engage in a sort of counterintelligence effort, infiltrating the protester groups and perhaps attempting to disrupt their activities through disinformation, Ollman says. "That can be difficult because they may take action or move around," he notes. "For now, the best thing is probably just to monitor what they're doing -- be aware of it, and be ready if they're going to take action."

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.