The FBI defines hacktivism as a collective of cyber criminals who conduct cyber activities to advance an ideological, social, or political cause. Historically, hacktivist collectives conducted and advocated for cyber crime activity following high-profile political, socioeconomic, or world events. Coinciding with the Russian invasion of Ukraine, the FBI is aware of Pro-Russian hacktivist groups employing DDoS attacks to target critical infrastructure companies with limited success. Hacktivists provide tools and guidance on cyber attack methodology and techniques to anyone willing to conduct an attack on behalf of their cause. DDoS attacks of public facing websites, along with web page and social media profile defacement, are a preferred tactic for many operations. These attacks are generally opportunistic in nature and, with DDoS mitigation steps, have minimal operational impact on victims; however, hacktivists will often publicize and exaggerate the severity of the attacks on social media. As a result, the psychological impact of DDoS attacks is often greater than the disruption of service.
Hacktivists often select targets perceived to have a greater perceived impact rather than an actual disruption of operations:
- DDoS attacks require little technical knowledge and hacktivists may leverage a wide range of open source DDoS services and tools to disrupt public facing websites.
- High-profile targets including financial institutions, health and medical facilities, emergency services, airports, and government facilities are common targets of DDoS attacks.
- Hacktivists typically claim responsibility of such attacks on social media to increase their credibility and falsely assert greater impact or disruption than what occurred.
- Hacktivists also recycle previously disseminated information (whether exfiltrated or a compilation of publicly available information) to build credibility and imply a higher level of technical ability.
- Hacktivists may post news coverage about their attacks, which can lead to repeat attacks or copycat attacks on targets that received a large amount of media attention.
Recommendations
DDoS attacks are of varying lengths of time and can be identified by:
- Unusually slow network performance (opening files or accessing websites).
- Unavailability of a particular website or the inability to access any website.
To mitigate a DDoS attack:
- Enroll in a Denial of Service protection service that detects abnormal traffic flows and redirects traffic away from the network.
- Create a partnership with your local internet service provider (ISP) prior to an event and work with your ISP to control network traffic during an event.
- Create a disaster recovery plan to ensure successful and efficient communication, mitigation, and recovery in the event of an attack.
- During and after a DDoS attack, monitor other network assets for any additional anomalous or suspicious activity that could indicate a secondary attack.