article / Apr 12, 2017

Doxing, DoS, and Defacement: Today’s Mainstream Hacktivism Tools

by Ray Pompon

The power of technology has forever buried the old means of retail commerce, communication, entertainment, and finance. In a similar way, technology is now empowering a sea of change in politics and protest. The use of hacking tools is no longer limited to statecraft and cybercrime; hacking tools are weapons available to anyone and everyone. Their use on a highly cyber-connected society means that information itself can now be easily weaponized. These are the perfect tools for civil disobedience because they enable few to stand against many and make a difference.

The Cyberweapons of Hacktivism

Hacktivists use three common offensive cyber techniques to varying degrees to get their messages out there and harass their opponents.

Doxing and Leaking

The first is doxing (dox being short for documents, or docs), which involves publicizing of private or personal information on the Internet about a hacktivist’s opponents to intimidate or embarrass them. On a broader scale, leaking is the publication of carefully curated and incriminating emails or confidential documents, which can be effective against organizations or public figures. This is what plays out on the nightly news with WikiLeaks, and it is all too common. However, doxing is more a personal attack. It involves releasing highly personal, identifying information about an individual that includes details like date of birth, family names, phone numbers, social media profiles, and even photographs.

Most insidiously, doxing can be used to hit individual members within a targeted organization. For example, thousands of U.S. law enforcement and government employees have been doxed as part of hacktivist protests.1 Because of the nature of their jobs, law enforcement personnel can be placed in serious physical danger if their personal information is leaked to the public. It’s such a serious problem that the FBI has issued warnings to law enforcement personnel and their family members about possible doxing and cyber-attacks by hacktivists.2

Where are hacktivists getting this information to share? In many cases, they are hacking the police systems directly just for this purpose.3 Ironically, even the original restricted warnings on doxing issued internally to the FBI were leaked by hacktivists.4

Denial of Service

A fundamental form of physical dissent is the protest march or the sit-in. These are designed to deny usage of some important service and at the same time call attention to the protestors’ cause. In the Internet world, the Denial of Service attack is an easy, electronic substitute. But, to be effective as a protest tool and draw attention to the cause, hacktivist protest attacks need to be publicized in advance. A good example of this was Anonymous’ 2013 OpUSA campaign against U.S. banks and government offices, which was forewarned weeks in advance:

These notifications give defenders a chance to prepare their response. Without them, a hacktivist runs the risk of the affected organization attributing the attack to criminals or equipment outages. For a hacktivist, that’s a fail—the attention is just as important to them as the shutdown.

The real problem with hacktivists perpetrating DoS attacks is the use of illegally subverted computers (pwned bots) woven into Distributed Denial-of-Service (DDoS) botnets. It’s much harder to claim the moral high ground when you DDoS someone using stolen computing resources. Some hacktivists have tried to frame DDoS attacks as legitimate forms of protest although, so far, this hasn’t held any water as a legal defense.5

We have come to expect the mostly symbolic protest gestures from groups like Anonymous, such as their DDoS attacks on Holocaust Remembrance Day6 or Canada Day.7 What is new is groups like New World Hackers claiming responsibility for the largest DDoS attack in the history of the Internet.8  The California State Threat Assessment Center (STAC) has issued warnings of a ramp-up of several different hacktivist groups that are planning DDoS attacks against government sites.9 DDoS as a protest tool is normalizing and spreading.

Defacement

Website defacement—changing the visual appearance of a site—was also an early and popular form of hacktivism, essentially taking the form of political graffiti across Internet. It reached an early apex of popularity in 2001 when a mid-air collision between a Chinese fighter plane and a U.S. spy plane occurred. Chinese hackers retaliated by hacking into and defacing nearly a thousand U.S. websites, and American hacktivists responding in kind.10 Website defacement still happens, often to take the hacktivist’s message directly to “the people.”

But, stepping back from tampering with the visual appearance of websites, there are more insidious forms of hacktivist defacement. In its purest form, defacement is what we security professionals call an attack against data integrity; that is, someone has corrupted our systems by electronic tampering. But, defacement can go beyond websites. Many other kinds of electronic systems can be subverted to send a political message.

Online polls have been hacked to skew results, although most of the time it has been done as a prank.11 This calls into question any online political polling. Followers of social media such as Twitter12 or Facebook13 are also easily subverted, further corrupting the viability of any online political campaigns. Political Bots, a research team that investigates the impact of automated propaganda on the public, explains, “Bots are social media accounts that automate interaction with other users, and political bots have been particularly active on public policy issues, political crises, and elections.14 In a separate post, the research team noted that in the week prior to the 2016 U.S. presidential election, 19 million bot accounts sent tweets. “The U.S. election saw perhaps the most pervasive use of bots in attempts to manipulate public opinion in the short history of these automated political tools.”15 Entire platforms for political communication and discourse are being defaced, notably sometimes invisibly, to skew influence.

You Can’t Punch a Swarm of Bees

Hacking allows anonymous attacks from small groups or individuals to command an unprecedented level of attention in society. Part of that power is in the protestors’ ability to blend into a faceless, amorphous group. Beyond the Anonymous group, which revels in striking from the shadows, there are many other protest movements banding together solely based on goals and a set of techniques. These include Resist, BLM, Occupy, and Arab Spring. While some of these groups have some leadership, involvement is more about hashtags than membership cards. Online tools not only facilitate, they also encourage ad-hoc associations and actions around a cause.

An inability to point to a specific leadership in an offending organization can make retribution, containment, and negotiation very difficult. For example, even when a large crackdown against hacktivists occurs, it still represents a small fraction of the actual movement. When the FBI arrested 14 members of Anonymous, the movement quickly regrouped and began taunting law enforcement anew.16 These flash mob style swarms of attacks can be quite exasperating for targeted organizations and, for the same reason, can be very attractive for protestors who want to modulate their involvement in the cause. The deployment of opt-in DDoS tools like the Low Orbit Ion Cannon (LOIC)17 can provide hacktivist movements with a way to arm spur-of-the-moment protestors with powerful cyber-weapons.

Digital crowdsourced protests also provide deniability for egregious actions taken. If the movement wants to preserve some legitimacy, it can also easily disavow any illegal actions by these spontaneous hacktivists. That’s just as well, because there are some hacktivists who truly don’t believe in any particular cause beyond causing general mayhem to authority figures. Unfortunately, these vandals can easily slip in and out of hacktivist movements to harass and sabotage under the aegis of “making the world a better place.”

One can also look at these as situations in which the respective governments are either encouraging (or not discouraging) the hacktivist actions. Hacktivism can be seen as a form of slightly firmer political “soft power”—a way of flexing muscles without actually causing any permanent damage. The web defacements regarding a politically charged sports ruling could easily fit this paradigm.18

Conclusion

The problem with cyber protesting is that anything technological can be automated and mass-scaled, which means grassroots campaigns can be quickly co-opted into AstroTurf campaigns— usually by the very authorities being protested.

CISOs, build your threat models accordingly. Anyone can get angry at you. Hacktivists won’t play fair and merely picket your building and sue you in court. Be sure you have done adequate risk analysis around leaks of email and doxing attacks against staff, sustained DDoS attacks, and defacement of Internet applications.


MODIFIED: Jul 06, 2017

Tags: , , , ,
stay up to date

Get the latest application threat intelligence from F5 Labs.

There was an error signing up.
Thank you, your email address has been signed up.

Follow us on social media.