Hacktivists V2.0

Thanks. Hi everyone. Um, thanks for having me today. Um, I'm here to talk about activism. Um, and one of the things I think we do as an industry is we focus very very heavily on the ransomware threat, ransomware groups, how they operate, what they're doing, and and that kind of organized crime piece. But a lot of the work that I do uh in my business focuses in on European financial services institutions. And recently we've seen a really worrying and problematic increase from these group of threat actors which are often uh very troublesome but not discussed perhaps enough. So, just to give you a kind of outline of what I'm going to cover today, we're going to have a quick

look at the brief history of activism and how that's kind of evolved over time, which has been quite interesting and I think shows you how much things have changed since the sort of start of all of this. Um, have a look at where we are now and the sort of um the sort of threats that we're seeing and how they're manifesting within organizations. and then also um the uplifting end of the talk which will be why we're in trouble for the future. Um so I want to start with one of the first instances first kind of logged um sort of attacks I suppose from activists and that actually happened in 1989 against NASA and what happened was at the time

NASA was going to launch the Galileo spacecraft and this was a nuclearpowered craft and at the time we were sort of in the middle of the cold war and the anti-ucle nuclear sentiment among activist groups was heightened and an Aussie group um actually decided to um hack NASA essentially and um as the story goes, the NASA engineers and scientists came in that day and they saw what we now believe or what we now call to be a splash screen that said, "Your system has officially been wanked." And the um the phrase that they use, they called it the wank worm, which I'm pretty sure what they worked out what they wanted to call it and then worked

out a way to make that work as an acronym, but fine. Um and what actually happened was they saw this splash screen and then came up um this sort of list that was looking like all of their files were being deleted. And so the employees at NASA panicked and did all sorts of things to try and counter this. What they didn't realize was that was a complete ruse. The worm itself had no ability whatsoever to delete anything and all it was doing was just basically fabricating that and the damage being caused was actually from the employees themselves reacting to this as opposed to the worm itself. But that was one of the first big examples of of activism

and there was a sense of humor at the beginning I suppose within the activist community. Then we moved kind of into the 1990s. We saw a big increase in sort of DOS and defa and defacement techniques. Dedos and defacements were very much added to that toolbox. Um and it was largely sort of traffic and message floods by and large. Um, in I think it was 1994, there was a crime a famous crime journalist Joshua Quitner and he lost access to his email because he had his email flooded by activists who just wrote the words capitalist pig on an email and flooded his inbox with that. Um, we also here in the UK had a group called the Zippies.

Um, and at the time the the Zippies were protesting an online um, sorry, not an online, a a bill that was put forward by the UK government that would have made outdoor dance festivals illegal. And so all of their activist activity was centered around prohibiting that bill from being successful. Um, and then in 1996, we saw the US Department of Justice get defaced with like the US Department of Injustice. And I believe they put pornographic images all over that um again to protest a a particular act that was going through um the legislative process. And it was around this time that activism as a term actually became known. It was allegedly coined by the group cult of the dead

cow. That's disputed in some different settings, but by and large that's when the word activism got attributed to this kind of online activity. But up until this point really it didn't attract media attention. It was very much focused on sort of niche little groups of activists who were very focused on their on their roles and that changed when the Kosovo war happened and the media started reporting it more and more and more. Um this was really I think the pivotal moment for activism where it really changed and worldwide we saw DOS attacks starting to happen. We saw um lots of online protests starting to happen. All really focusing on United States um a agencies and organizations

very much focused towards stop the war, stop the aggression. I think they defaced the FAA's website with those sorts of things. They defaced the US Navy's website with similar stuff. NATO had some involvement as well. The interesting thing for me with regards to the Kosovo war though was it was the first time really we saw international activist groups get involved and the key moment was actually when Chinese activists got involved in this same thing and that was really because of the accidental bombing of the Chinese embassy in Belgrade and as a result Chinese activists got involved. So this really I think shifted things and got activists more involved in geopolitics. Then we had the face that everyone

associates with activist groups now um the famous anonymous um mask um and whatever. So they were a collective of of activists and they were actually lots of people know them for their sort of classic videos and their masks and stuff. They did a couple of really interesting things though. The first was that they started their um activist activity taking it out on the Church of Scientology which was all focused around Tom Cruz at that time. But they also kind of invented the idea of collaborating with other groups which is something that is now causing problems for us in 2025. So they did do a lot of really interesting stuff. But activism today is slightly different

and I'm going to come on to some of the groups that we're seeing operate and the effects they're having. But we have seen a very big shift from that classical activist style into something that is more organized um and more hierarchical than before. And there's a number of reasons for this. For a start, currently in the world, we're seeing huge amounts of sort of political and societal polarization which is very much lending itself to these kind of activist groups. There was a really interesting article that I read the other day on this topic and and activism generally that was talking about the increase in sort of a feeling of nihilism within society and how that nihilistic attitude to life was

actually lending itself to activist groups sort of pulling people in and actually quite extreme activist groups pulling people in to their cause. It's pretty low barrier to entry for the most part. Most people can get involved. Um there's lots of levels as well that you can get involved from just joining a Telegram channel, making donations, you know, sharing their content on social media and their hideously terrible videos that they put out. Um and all of these things allow people to get involved. So it's it's a very different beast to where it was when we had the wanked worm. Um, and I think the problem is, and this has always been the case, when you're dealing with ideology, it's

very hard to counter and it's very hard to predict. When you're dealing with organized crime, it's financially motivated. It's financially driven. We understand that because we work in businesses and we understand how business operates. The problem with ideology is it doesn't follow that pattern necessarily. So we've seen a steep rise in attacks and new tactics and things like that that are coming out. So obviously we're still seeing DOS, we're still seeing defacements, although at a more sort of alarming scale um I would say from some of the main actors, but there are a few other ones that we're seeing a huge increase in. The the main ones actually being data exfiltration which is a preferred tactic now and the slightly

com the slightly more complicated version of that which is where they will go in they will exfiltrate data from the company but then they will insert fake documents fake email threads into the data dump that they then put online. So that could be something like this is an email chain between the CEO of a bank in Malta and a client and oh look they're trading in Russian rubles. They're not supposed to be doing that and look we've dumped that online for the journalists to look at. From an incident response perspective, you then need to not only deal with the fact that they have exfiltrated your sensitive data and put it online, which is bad enough, but you also then

essentially need to go through every single document, every single piece of data they've put out and almost go that's true, that's fake, that's true, that's fake, and integrity check it in the public eye, which is quite complicated and actually works very Well, for them. So, we've seen a few kind of key themes with the activist activity generally. We saw obviously Ukraine and Russia on both sides activists getting involved uh in that conflict. The same is true with Israel and Palestine, although on a much much wider scale. Um Ukraine and Russia, it was more limited to Ukrainian activist groups and Russian activist groups. with Israel um and Palestine that has has broadened and I'll come on

to that in a moment. Um and then the final one is environmental concerns as well. We're seeing a large number of environmental activist groups take to this uh to this kind of tactic. But they're not always as firm on their beliefs as they perhaps once were. I think back in the day they were very single issue and they for better or for worse really truly believed in that issue. Um now I feel we've kind of got more into the situation where we want to be a activist and then we're going to justify that with whatever means necessary as opposed to it being a true belief. So we've had things like um as you might know we don't like Israel but

we also don't like war. So, as we've attacked Israel in the past, we are now going to attack Gaza. There's uh for some reason this is the sort of thing you get. And I think there's a lot of that in the current activist groups, some of which you can see uh here on the screen. Um and you know, some of these you've got anonymous Sudan and Kilnet, both of whom are very pro-Russian, anonymous ghost, Palestinian um activist group. And a lot of these groups decide for themselves who they want to target and justify it. It might not be what you think it should be in terms of the goal that they're trying to achieve. So we also have it as a facade for

states as well. And we've seen this a lot. And this takes lots of different shades really because you can have a situation where you would perhaps say that the nation state is acting through the activist group. but at the very least they allow the operation of those groups for their own political goals. Um, and that causes a lot of problems. We've seen that in the Russian conflict. We've seen it in Israel and the Middle East and obviously we've seen it um a lot with North Korea as well. It's quite a useful tool for a nation state though because ultimately, let's just think about this in terms of the Russia conflict. You have Kilnet, who are a um

pro-Russian activist group, and I'll talk about them and their tactics uh a little bit later on. But if you think about that from a Russian perspective, Kilnet are targeting European financial institutions. They're targeting critical national infrastructure of the Baltic States. They're targeting American institutions. So, it might not be something that you're particularly invested in, but it's pretty good as a disruptive force, isn't it, to just allow to happen in the background. So even if they're not actually actively funding it, it's definitely beneficial for them to allow this to carry on. And the nature of it has all changed and I think anonymous were part of this because Anonymous really recognized the power of branding and this has gone on

further since then. So you have these groups who are very active on social media. They all put out videos continuously. Some of them are really quite dreadful and some of them are okay. Um, and they're all really into their branding, their logos, their kind of the way they talk, the way they recruit people. And I think from my perspective very much now blur that line between traditional activism like we used to see it where it was very much kind of more single issue to now where we're kind of really I think almost emulating a lot of the ransomware group strategy but through the the front of of activist groups really which brings me on to kill now. Now

obviously there's there's tons of different activist groups and I could go through each and every one of them in turn and this would be a dayong talk. Um but I chose to focus on Kilnet because they are I think one of the more interesting groups that we've seen. So Kilnet are interesting for a number of reasons. Firstly they're highly highly capable. They sprung up just before um Russia invaded Ukraine and have largely maintained a pro-Russian stance for justifying all of their attacks. A lot of their videos they put out have been very much threatening European financial institutions and a lot of their mo has been very much focused on trying to dissuade governments from funding or

arming Ukraine. And it's been pretty simple in that capacity. So, how do they make money? Kilnet actually, and there's been reports from TRM Labs, who are a crypto analysis um firm cryp and they've actually managed to launder quite a huge quantity of money per year circling around 50 to$60 million of identified cryptocurrency that they've been moving. So, they're making money from somewhere. That's a decent quantity of money. Like a startup would dream of earning that kind of money, right? So when they've looked at kind of where their revenue streams have come from, some of them are predictable. So we've seen donations from people on their Telegram channel. They're always asking for people to donate, things like

that. So some of that's relatively straightforward, but they've actually been quite entrepreneurial. So they've developed an online training school. um which you can go and learn. I don't want to call it cyber security skills. I sort of feel like it's cyber crime skills, isn't it? Um so like $300 odd per course that you want to take. They called it dark school. Um and you can go and learn god knows what on their platform for $300 per per lesson. Um they also develop tools for hire. So they have a sort of as a service off offering as well. um in case you'd want to engage with that. Um and then interestingly they also collaborate with dark markets and they take percentages

in a kind of referral scheme style thing a bit like if you go online on social media and you see influencers saying if you want to buy this use my Amazon link and I'll get this. It's kind of the same sort of thing but in the dark nefarious world of uh online markets. So, it's very much more about the money. And what's interesting about Kilnet as well is on some level, and I don't really want to diminish the harm that they have caused because they've caused an awful lot of harm, but they really care about their supporters. If you read through their Telegram channel, they'll put out videos all the time about where the money is going. almost in the sense that

you know you have charities commission reports on how charities spend your money. It's almost kind of mirroring that in this really strange way. So, you've had videos put out from people from Kilnair that have shown Russian soldiers on the front line literally holding things that have allegedly been bought from them for them by Kilnet, saying, "Thanks, Kilnet," or whatever in Russian, holding these weapons. And it's almost like this bizarre situation that we've ended up with this sort of dark world where we're sort of allowing these activist groups to do things and then recruit money, launder that money and then be able to spend it. um supporting uh a conflict which really is quite bizarre place to be in 2025

where you have that kind of democratization of that process and so they are very interesting to look at but highly highly capable as well. So that brings me on to the general speed of reactions within the activist activity world. We talk a lot about in cyber security. We talk a lot about how if something happens cyber criminals, scammers very very adept at very quickly spinning up fishing sites, very quickly being able to leverage natural disasters or anything else that happens in order to capitalize on it. And the same is true of activist groups as well. A classic example of that was when Hamas the Hamas attack happened in Israel. So that happened and the same day that it

happened, we saw pro-Israeli activist groups take down Palestinian news sites and we saw Anonymous Ghost, a Palestinian activist group, take Israeli news sites offline. Same day, within hours of the attack happening, this was mobilized. That same day again, we saw groups like the Moroccan Black Cyber Army who also got involved in taking out Israeli capabilities um and Israeli websites. And then something quite interesting happened that I think kind of highlights I suppose the danger of this situation. There's a group called um the Indian Cyber Force who are no prizes for guessing which country they come from. They are activist group based in India. and they are generally quite pro-Israeli. They attacked um a whole load of Palestinian businesses. And in

response to that, just 2 days after the attack, you saw all of these pro Palestinian activist groups attack Indian government websites and take them offline. Large Indian companies and take them offline. India, a country that realistically at that moment in time was no way involved whatsoever in the conflict between Hamas and Israel, suddenly finds itself essentially brought into that through the actions of activists. So it goes to show that actually the power of it is huge for the governments and for countries because the actions of one activist group ended up causing trouble for companies and government websites of a country that otherwise would have been completely uninvolved in this conflict completely. So that makes it quite challenging for

anyone to threat model what might happen here. Right. And like I said before, crowdfunding um they raise a lot of money through their telegram channels and actually they end up having um quite a large I suppose bulk of cash that they're sitting on which leaves them very very capable. I mean typically this has been a problem for activist groups both online and offline is raising money for operations is quite difficult. Now that's been extended and obviously with cryptocurrency they can launder that money with relative um immunity from anything and also dodge sanctions. If you're a Russian-based activist group or a North Koreanbased group um you cannot obviously raise money in the traditional way. So cryptocurrency gives you that o

opportunity. So people always say to me okay so in that situation like I just described with Israel, Palestine, India all these countries that are sort of brought into the fold. What these are sort of state actors surely now the problem with this argument and the problem that I think we have in cyber security generally is we're very fast to say they're a state actor, they're Russian, they're North Korean. The problem is with pursuing that sort of line of reasoning is that it does not line up with international law at all. Actually, under international law, the bar for holding somebody and saying Lisa is a Russian activist or Hazel is a North Well, we know Hazel is probably for working for

the North Koreans, but we'll leave that. Um, I don't want any drama, Hazel. Okay. None. Um, >> I'm watching But in order to do that, the bar is actually really really really high. And this has been the case for a long time. So the one of the pivotal cases that discussed this, albeit not in the activist um scenario, was the United States versus Nicaragua where the International Court of Justice were considering the question of whether or not the United States had illegally got involved in Nicaragua. And what the United States had been doing were they were funding a group within Nicaragua called the Contras. And they were essentially funding them, arming them. They flew people out to the United

States to train them. They did a load of stuff. And the ICJ actually said yes, the United States had violated international law by doing this. And they went on to talk about what it really takes for a group to be considered working for another country, which is what this was about. Funding isn't enough. So, let's say hypothetically, sorry to keep picking on you, Hazel, but let's just say hypothetically, Hazel's lovely new car was purchased by North Korea and and North Korea funding everything she does. She's got a nice new house which is funded by North Korean regime. Um they give her tons of money for equipment. They give her tons of money for recruiting other people at bides

that she travels to all the time. Um and and that's what's been going on. That's not sufficient. That does not mean Hazel is in fact working for the North Koreans. In fact, actually, even if they give her equipment, even if they give her training, that's still not sufficient to say she is a state actor. takes a lot more than that. So when we talk about these groups and we start attributing their actions to states, we do have to be quite careful because if we were to follow that through that would essentially mean that there were sort of nation state on nation state attacks which leads to a whole different discussion um outside of this. But I think one of the crucial things is

what does this actually mean for organizations? What does that mean for the companies you work for? And I think there are a couple of things here. The first one is we need to have geopolitics on our radars and on our threat models all the time, especially now. Things have perhaps never been more turbulent than they are in 2025. We have a certain leader of a certain country who makes decisions on a whim and affects the entire world. So, we have to have geopolitics on our radar when we're looking at our threat modeling. The second one is we have to be really ready to shift quickly. And an example of this happened a year and a

bit ago in France. President McCron made a statement about France's intention to stop providing arms to a certain Middle Eastern country. As a result, pro- activist groups who were against that decided within about an hour to take several French big French companies websites offline causing a lot of problems. And that came just from a political statement made by a president. So we have to be ready to shift that very quickly. And the third one is we have to understand that activists have their strategy. We'll stick with Kilnet for the moment. Kilnet has their strategy, but what they actually do and how they carry it out might not be as logical as you and I might think it

would be when we're doing our threat modeling. So what I mean by that is if we look at pro-Russian activists targeting, they have disproportionately targeted Baltic states. Estonia, Latvia, Lithuania have been hit incredibly hard. In comparison to the USA, which hasn't been hit as hard, but if we're looking at funding, if we're looking at who has put the mo most funding into Ukraine, it's not Latvia, Lithuania, and Estonia. It is the United States. but they haven't actually weighted their attacks depending on who's paying the most money, which is what you'd think in business strategy. And you see that as well with trivial things that can trigger them, like your CEO marries somebody from Israel and that's enough

or you're using a supplier or a vendor that's in a country that they don't like. So actually when you're looking at your exposure to activist groups, it might not be as logical as you might initially think. So it's something to be very aware of. So the key issues that I want you to take away from this one issue with activism especially now is every single group needs to be bigger and better. There are tons of groups out there. If you look at the lists of the active ones, it's absolutely enormous list spanning the entire world. And so actually, everyone has to outdo each other, which means that it's always going to be open. It's always going to

be public. They're always going to make sure journalists know. There's going to be videos. There's going to be social media posts. It's going to go everywhere. They don't want this to be quiet. Ransomware groups at least have an initial drive, I suppose, to keep things a little bit quiet because they're hoping if they do so, you'll pay the ransom. Doesn't serve activist groups. They want to make it public straight away. Hollywood worthy disruption. The more disruption they can cause, the better. So if you haven't got plans and playbooks in place and you don't know how to fall over to something else to some redundant process, more disruption which suits them better and ultimately they have really a lack of

consequence at the moment. Um and so they can justify whatever they do however they want. Uh and there's not an awful lot of consequence coming their way. So if you're going to take away anything from this for your organization, make sure you are feeding geopolitics into your threat models and you have an idea of how that might affect your company. If someone does something or says something, what's the effect it could have on you? And that may be through third party and supply chain management. It may be looking at where your key suppliers are located as well and their exposure to this. making sure you have plans and playbooks developed, which are really key. And when you do this, lots

of people when they're thinking about their planning for an incident, they're looking at like if they if their personal data that they hold is leaked or whatever. My standpoint on this, especially with activism, is look at your important business services. What does your company need to have up and running in order to do business? And then if those things were to be offline or those things were unavailable, what can you fall over to or how quickly do you need that that process worked around? Develop playbooks for doing all those sorts of things and then obviously run exercises as well on that. And I'm not just talking tabletop exercises talk I'm talking also running simulations disaster recovery testing your backups

making sure you know how manual workarounds um operate as well because in my experience of doing this um you can document it all you like and the documentation makes an awful lot of sense and then when it happens for real something that you've missed out of the documentation doesn't work and the manual workound doesn't work. Um, so making sure you actually test that is really, really important. But I hope you've enjoyed today's talk. Um, I know it was super uplifting after lunch. Um, if you have any questions, I will be caffeinating out there. So come and >> Oh yes, if there are specific questions now, sure. If not, uh, I will be caffeinating myself. Um, quickly

just gives more excuse for you guys to have to run up and down the stairs. If we could get someone right at the very back after this. >> Thank you very much for a brilliant presentation. It was great to hear the overview of the different activist groups that you're observing. The one question I have for you is what is the key tactic that you're observing that these activist groups are using and what can organizations do today to reduce the risk for them? It's a really good question. I think it depends on industry. Um, like I said, most of the work I do is is in uh European financial services. In that situation, largely actually data exfiltration with poison

data inserted into it, which brings you very much back into the ransomware world, right? Because it very much mimics a double extortion attack. So, actually, in some ways, an uplifting twist. Maybe it kind of aligns the two strategies together and we can kill two birds with one stone. Um I think it depends very heavily on like I said what you do. If you have um sort of a website that's absolutely critical then clearly that's what they're going to go after. They're relatively smart. So I think it's it is it is quite a difficult thing to do. But I think you need to look at the industry you're in and the assets you have and work and really think about if

you were an activist, what would you take out? because they're probably going to know the clinch points in your business as well. So if you're a university, as we stood in the university, it doesn't take a lot to work out that the crucial points for a university are going to be um applications clearing etc etc. Those points in time are going to be the crucial times. So that's when you do it. So that's what I would say. >> Any more questions? Well, thank you so much for coming down and giving us that speech.