DISARMframeworks/generated_pages/incidents/I00127.md

27 lines
4.5 KiB
Markdown
Raw Normal View History

# Incident I00127: Iranian APTs Dress Up as Hacktivists for Disruption, Influence Ops
* **Summary:** <i>Iran has taken a page from the Russian playbook: Passing off military groups as civilians for the sake of PR and plausible deniability.</i>
* **incident type**:
* **Year started:**
* **Countries:** ,
* **Found via:**
* **Date added:**
| Reference | Pub Date | Authors | Org | Archive |
| --------- | -------- | ------- | --- | ------- |
| Technique | Description given for this incident |
| --------- | ------------------------- |
| [T0097.104 Hacktivist Persona](../../generated_pages/techniques/T0097.104.md) |  IT00000532 <i>Iranian state-backed advanced persistent threat (APT) groups have been masquerading as hacktivists, claiming attacks against Israeli critical infrastructure and air defense systems.<br><br>[...]<br><br>What's clearer are the benefits of the model itself: creating a layer of plausible deniability for the state, and the impression among the public that their attacks are grassroots-inspired. While this deniability has always been a key driver with state-sponsored cyberattacks, researchers characterized this instance as noteworthy for the effort behind the charade.<br><br>"We've seen a lot of hacktivist activity that seems to be nation-states trying to have that 'deniable' capability," Adam Meyers, CrowdStrike senior vice president for counter adversary operations said in a press conference this week. "And so these groups continue to maintain activity, moving from what was traditionally website defacements and DDoS attacks, into a lot of hack and leak operations."<br><br>To sell the persona, faketivists like to adopt the aesthetic, rhetoric, tactics, techniques, and procedures (TTPs), and sometimes the actual names and iconography associated with legitimate hacktivist outfits. Keen eyes will spot that they typically arise just after major geopolitical events, without an established history of activity, in alignment with the interests of their government sponsors.<br><br>Oftentimes, it's difficult to separate the faketivists from the hacktivists, as each might promote and support the activities of the other.</i><br><br>In this example analysts from CrowdStrike assert that hacker groups took on the persona of hacktivists to disguise the state-backed nature of their cyber attack campaign (T0097.104: Hacktivist Persona). At times state-backed hacktivists will impersonate existing hacktivist organisations (T0097.104: Hacktivist Persona, T0143.003: Impersonated Persona). |
| [T0143.003 Impersonated Persona](../../generated_pages/techniques/T0143.003.md) |  IT00000533 <i>Iranian state-backed advanced persistent threat (APT) groups have been masquerading as hacktivists, claiming attacks against Israeli critical infrastructure and air defense systems.<br><br>[...]<br><br>What's clearer are the benefits of the model itself: creating a layer of plausible deniability for the state, and the impression among the public that their attacks are grassroots-inspired. While this deniability has always been a key driver with state-sponsored cyberattacks, researchers characterized this instance as noteworthy for the effort behind the charade.<br><br>"We've seen a lot of hacktivist activity that seems to be nation-states trying to have that 'deniable' capability," Adam Meyers, CrowdStrike senior vice president for counter adversary operations said in a press conference this week. "And so these groups continue to maintain activity, moving from what was traditionally website defacements and DDoS attacks, into a lot of hack and leak operations."<br><br>To sell the persona, faketivists like to adopt the aesthetic, rhetoric, tactics, techniques, and procedures (TTPs), and sometimes the actual names and iconography associated with legitimate hacktivist outfits. Keen eyes will spot that they typically arise just after major geopolitical events, without an established history of activity, in alignment with the interests of their government sponsors.<br><br>Oftentimes, it's difficult to separate the faketivists from the hacktivists, as each might promote and support the activities of the other.</i><br><br>In this example analysts from CrowdStrike assert that hacker groups took on the persona of hacktivists to disguise the state-backed nature of their cyber attack campaign (T0097.104: Hacktivist Persona). At times state-backed hacktivists will impersonate existing hacktivist organisations (T0097.104: Hacktivist Persona, T0143.003: Impersonated Persona). |
DO NOT EDIT ABOVE THIS LINE - PLEASE ADD NOTES BELOW