Wednesday 28 September 2022, 11:30 - 12:00
Blake Djavaherian (Mandiant)
Authentic hacktivist threat actors, while frequently overlooked by researchers and overshadowed by state-nexus operations utilizing hacktivism personas for cover, have continued to proliferate globally. Yet such actors still tend to be plagued by the same phenomena that have historically stymied others in the hacktivism landscape, preventing them either from achieving operational maturity or fulfilling demonstrable objectives at levels most often associated with advanced persistent threat (APT) or well-organized cybercriminal groups. These stumbling blocks include weak hierarchical structures, limited technical knowledge across members, and pervasive behavioural immaturity.
As a result, the vast majority of hacktivists to emerge in recent years have pursued inconsistent objectives, experience short lifespans, and fail to cause the grandiose impacts they loudly promise. This overall trend has manifested in the swarm-like nature of campaigns conducted by modern hacktivist 'collectives' – including Anonymous – whose operations are often as overhyped as they are short-lived. These campaigns are occasionally assisted by leak publishing entities such as whistleblowing groups (e.g. Distributed Denial of Secrets) or by external organizational efforts (e.g. the Ukrainian government’s recruitment for an IT Army of Ukraine).
These trends are not necessarily the rule: at least one hacktivist group, the Belarusian Cyber Partisans, has exhibited advanced organizational and operational security skills above and beyond its counterparts. Since September 2020, the Cyber Partisans have conducted high-profile, and even impactful, information operations and disruptive attacks against the Belarusian government in protest against the policies and continued administration of the country’s executive, Aleksander Lukashenko. While that group has targeted Belarusian government entities in 2022 in an effort to degrade Russian military logistics associated with the latter’s invasion of Ukraine, its precise origins still remain a subject of some debate.
This paper explores the state of contemporary hacktivism, beginning with the formation and activities of loose collectives before continuing on to describe the nature, interactions and operations of hacktivist groups within regional hacktivist ecosystems. It then examines the Cyber Partisans through the lens of being an outlier among authentic hacktivist groups, leading into a concluding analysis on the broader implications of the development of advanced hacktivist entities operating in opposition to, or support of, national governments.
Blake currently serves as a consultant for Mandiant. Previously, as an intelligence analyst for CrowdStrike’s Global Threat Analysis Cell (GTAC), Blake was responsible for the tracking and analysis of a broad range of state-nexus, nonstate, and hacktivist cyber threat actors – with a particular emphasis on activity originating from South Asia, Latin America and the Middle East. Blake holds a B.A. in science and technology in international affairs from Georgetown University. In addition, he has guest lectured at Georgetown’s Center for Security Studies on cybersecurity topics, including network infrastructure hunting and attribution, and has previously spoken publicly on his research.