In this new era of cyber warfare, “knowing thy enemy” is more complicated than ever before. While the private sector continues to experience a cyber skills gap characterized by a lack of specialized talent, the barrier to entry for cybercriminals and attackers is at an all-time low. As geopolitical tensions play out in cyberspace, it can be impossible to distinguish between nation-state-sanctioned actors and non-sponsored criminals.

In the ongoing Russia-Ukraine conflict, allegiances from cybercriminal hacking organizations and prominent hacktivists — hackers acting with a political or social motive in mind — have substantially complicated the threat landscape, attacker attribution, and any hope of defined lines. This “Wild West” era of cyber warfare pits hacktivists against nation-states and, at times, each other, and cybercriminals against private sector businesses, blurring the lines and increasing risks of escalation, collateral and misattribution.

For many cybersecurity professionals, this redefinition of the norms of cyber-aggression was marked by cybercriminals, such as the ransomware gang Conti, pledging to stand with the Russian Federation in its invasion of Ukraine. But hacktivists, like socially motivated hacking collective Anonymous, have also taken sides in the conflict, unilaterally disrupting valuable Russian cyber targets.

As Ukraine continues to grow its 400,000-strong volunteer “IT Army,” these hacktivists have started to play an unprecedented role, and organizations in the private sector must prepare to build cyber defenses in the face of this emerging cyber threat.

The rise of hacktivism

Early hacktivism was characterized by the extension of civil disobedience and protest into cyberspace. At the dawn of the 21st century, hacktivists sought to advance human rights and combat increased censorship and government regulation of the internet and communications. In 2011, the industry saw a resurgence of this form of activism, with attacks aimed at supporting protesting civilians by targeting state websites during the Arab Spring.

Over the last decade, the cybersecurity community has seen a proliferation of non-state hacking groups. Many have been financially motivated malicious actors, from sophisticated ransomware gangs to low-skilled hackers leveraging the dark web, underground hacking guides, and commodified tools like Ransomware as a Service for easy entry into cybercrime. But hacktivism has also experienced a steady rise in recent years, with increasing numbers of cyber actors performing vigilantism in cyberspace.

Like financially motivated hackers, activists have faced a lower and lower barrier to entry into cyberspace. These hackers primarily employ readily available cyber tools such as Distributed Denial of Service (DDoS), vulnerability scanners, and doxing to disrupt and disgrace target governments, organizations and individuals. These non-state actors justify cyberattacks with ethical reasoning, using cyber threats to advance their causes.

Despite seemingly virtuous motivations, these non-state cyber attackers are ungoverned and retain complete discretion over their activity. In this era of cyber warfare, hacktivists may inflict damage or cause disruption for their personal gain under the guise of moral support for nation-states.

What are the stakes of hacktivist involvement?

In the ongoing Russia-Ukraine conflict, successful large-scale attacks on critical infrastructure inside or outside Ukraine or Russia have not yet materialized. However, these attacks have the potential to be so disruptive that they threaten economic and national security. It is not clear what level of attack and disruption would be viewed as an act of war outside the current conflict. With ransomware gangs, especially those with varying degrees of nation-state links, and hacktivists running rampant in cyberspace, these non-state actors rapidly increase the risks of misattribution and devastating retaliatory cyberattacks. 

The private sector is not immune to these cyber risks posed by hacktivists. Just last year, video game streaming service Twitch suffered an extensive data leak of passwords and other user information caused by hackers who reportedly targeted the service to encourage greater competition in the industry and as punishment for the organization allowing “toxic” discourse on its platforms. In a similar breach, crowdfunding website GiveSendGo experienced a leak of sensitive data, including the names and personal information of donors of the “Freedom Convoy 2022” trucker protests in Canada.

Whatever their motivations, alleged hacktivists targeted private organizations and individual consumers with cyberattacks in both these instances. In addition to the operational and reputational damage done to the breached businesses, the users affected are at increased risk of additional cyberattacks, internet harassment, fraud, and even physical harm from malicious actors with differing politics. These released data lists are also likely an attractive target for cybercriminals and nation-state actors seeking to engage in future social engineering and disinformation campaigns, effectively arming the enemy.

Fighting back

The danger posed by financially, socially or politically motivated non-state cyber actors will continue to rise, increasing pressure on governments and organizations to prioritize and resource cyber defense programs properly. While skilled cyber professionals are a resource for nation-states like Ukraine, when these groups take extra-legal offensive action with minimal state supervision, they do so with the risk of misunderstood implications, wrongful attribution, and aggressive counterattacks.

For alternatives, nation-states should look to cyber defense forces, collaborative security partnerships, and support from allies in bolstering their security posture. With the confirmation of alleged covert operations involving U.S. military personnel and private-sector engineers in 2021 to help prepare Ukraine for incoming cyberattacks, it is clear that this form of cooperation is becoming essential to developing defensive superiority in the face of aggressors. With no concept of the norms of cyber conflict, nation-states dramatically increase the risks when cyber war involves civilians and criminals.

As attacks from non-state actors proliferate, businesses and government institutions must turn to new ways of enhancing security teams. From the standpoint of looking at personnel, this can mean leaning on cyber volunteer forces that should bolster defensive capabilities, not a “hack back” free for all. It also means using advanced technologies to increase cyber defense and security capabilities. Security leaders will need to think differently about security strategies that look well beyond just alerts and detecting.

Security teams need a cyber defense strategy that will give them the necessary self-awareness to harden environments even before attackers arrive. And, when the attack does come, it accelerates attack understanding and autonomously defends against previously unknown attack types and tools. Just as types of threat actors are diversifying, the way they breach organizations and the tradecraft they develop will also evolve and become new challenges for today’s security leaders.