DISARMframeworks/generated_pages/techniques/T0097.104.md

3.4 KiB
Raw Blame History

Technique T0097.104: Hacktivist Persona

  • Summary: A person with a hacktivist persona presents themselves as an activist who conducts offensive cyber operations or builds technical infrastructure for political purposes, rather than the financial motivations commonly attributed to hackers; hacktivists are hacker activists who use their technical knowledge to take political action.

    Hacktivists can build technical infrastructure to support other activists, including secure communication channels and surveillance and censorship circumvention. They can also conduct DDOS attacks and other offensive cyber operations, aiming to take down digital assets or gain access to proprietary information. An influence operation may use hacktivist personas to support their operational narratives and legitimise their operational activities.

    Fabricated Hacktivists are sometimes referred to as “Faketivists”.

    Associated Techniques and Sub-techniques
    T0097.103: Activist Persona: Analysts should use this sub-technique to catalogue cases where an individual is presenting themselves as someone engaged in activism but doesnt present themselves as using technical tools and methods to achieve their goals.

  • Belongs to tactic stage: TA16

Incident Descriptions given for this incident
I00127 Iranian APTs Dress Up as Hacktivists for Disruption, Influence Ops Iranian state-backed advanced persistent threat (APT) groups have been masquerading as hacktivists, claiming attacks against Israeli critical infrastructure and air defense systems.

[...]

What's clearer are the benefits of the model itself: creating a layer of plausible deniability for the state, and the impression among the public that their attacks are grassroots-inspired. While this deniability has always been a key driver with state-sponsored cyberattacks, researchers characterized this instance as noteworthy for the effort behind the charade.

"We've seen a lot of hacktivist activity that seems to be nation-states trying to have that 'deniable' capability," Adam Meyers, CrowdStrike senior vice president for counter adversary operations said in a press conference this week. "And so these groups continue to maintain activity, moving from what was traditionally website defacements and DDoS attacks, into a lot of hack and leak operations."

To sell the persona, faketivists like to adopt the aesthetic, rhetoric, tactics, techniques, and procedures (TTPs), and sometimes the actual names and iconography associated with legitimate hacktivist outfits. Keen eyes will spot that they typically arise just after major geopolitical events, without an established history of activity, in alignment with the interests of their government sponsors.

Oftentimes, it's difficult to separate the faketivists from the hacktivists, as each might promote and support the activities of the other.


In this example analysts from CrowdStrike assert that hacker groups took on the persona of hacktivists to disguise the state-backed nature of their cyber attack campaign (T0097.104: Hacktivist Persona). At times state-backed hacktivists will impersonate existing hacktivist organisations (T0097.104: Hacktivist Persona, T0143.003: Impersonated Persona).
Counters Response types

DO NOT EDIT ABOVE THIS LINE - PLEASE ADD NOTES BELOW