Hacktivism as a Service: The Cyber Mercenary Era - Zarin Hamid

Hey everybody. Um, thanks for coming today. My name is Irene Hamid and I'm a cyber threat intelligence analyst at the NCTA. It is called the National Cyber Forensics Training Alliance. The goal is to create any like gaps in the intelligence sharing industry. We're trying to bridge those gaps between law enforcement and private sector. Today my talk is about activism as a service. Does anyone want to guess what that is? >> What? >> Getting paid to hack things. >> Yeah. Um so we're going to go over that today. Um,

so today we're going to go over how activism as a service has kind of evolved from an ideology or political motivation into a service-based model. We'll look at origins, blurry ethical lines, modern case studies, and groups like Dark Storm, which I've been personally working with, and how defenders should think about this emerging threat.

>> So, activism is ideal ideologydriven form of cyber security of cyber activity. It's been called a digital picket line, but the methods crossed into territory that's ethically gray, sometimes even black hat. While groups like Anonymous, the OG group, brought activism into the mainstream with operations framed around social justice, the reality is now becoming more complex. At its core, activism is about drawing attention sometimes to real causes, sometimes to trending issues, and nowadays to the highest bidder.

It's morally gray and sits between activism and cyber crime. The goal is to generate attention disruption and narrative amplification.

So these days, activism is morphing into something that's entrepreneurial. Instead of acting purely on ideology, some groups began offering offering their disruptive capabilities as a service. It blends attacks on our political, others for publicity and nowadays going to the highest bidder. the ethical gray zone is getting even murkier um because now they're attacking legitimate businesses and not not because of activism but because somebody paid for it.

There's an ethical spectrum that still exists. So a few years ago we saw ransomware groups would kick people out of their organization for if they attacked a hospital. So far what we've been tracking is that they have not been attacking hospitals. So they are trying to be a little bit more ethical and the goal is activism protest disruption for a cause.

So activism has lived in the gray area.

between protest and crime. But as the tools get sold rather than ideologically deployed, the moral framing becomes marketing. Some groups still claim boundaries, but the collateral damage is real. Data leaks, for example, can expose deeply sensitive information. So, for example, last year I received a letter in the mail that the organ donation site had been leaked. As an organ recipient, that's like really harmful because as humans, we have biases. And one of the things is for organ donations, you have to keep everything recipient and donor anonymized. Because say for instance, I'm a bigot and I want to accept somebody's organ just because of their race. So when these attacks happen, it affects the public mistrust of that

organization. What we're seeing is gay hat alignment with black hat outcomes. So real world harm, business interruption, reputational damage and data exposure.

So activism as a service isn't new, but what's new is how it's packaged. Defacement, DOS, doxing, leaks. These used to be operations tied to strong messaging. Now they are offered as purchasable components and it's effectively a menu. disruption that anyone can order. So, what I've been seeing with my work on Dark Storm is I'll go on their Twitter and mind you, they're whenever they feel like they're about to get caught, um they switch up their names. Um but on their Twitter menu, they have the DOS attacks and for like a month, it's $500. for a week it's 150. Based on their like linguistic pattern, it appears that they are foreign operators and we've been communicating with them

via Telegram. Other ways groups do activism techniques is website defacement doxing and data leaks.

So, I mentioned how I've been working on tracking Dark Storm. The reason this came up was because in in the late spring of this year, we noticed a retailer, two financial institutions were attacked and based on what they found, it was Dark Storm. Dark Storm appeared after the Israel Gaza conflict and quickly adopted tactics similar to the Russian activist group Kilnet. Through our research, we found that they they have like mirroring tactics. They collaborate. The messaging is overtly political. So, one of the retailers that was attacked had a big push for anti-dei roll backs. Could that be caused for them to attack us? Um, so like I They offer packages price by duration add-ons like data dumps. So if

they are successful at, you know, attacking someone and they're able to extract data, they ask for an additional $50 to give us access to the data dump. They have also high pri high highprofile hits like JFK and LAX airports. They also there was a power outage in Europe earlier this year and they claimed it was them but when we investigated further it was not them. So their messaging is a little bit erratic and taking credit for things that they didn't do.

This is a representation of merging activism and cyber crime into a gig model economy. It's a hybrid motivation for political messaging and hire for pay model. We don't have any like attribution as to who the person is or who the foreign operator is other than it is a foreign operator based on the linguistic patterns

activism. as a service is thriving because it's cheap, accessible, and emotionally charged. Buyers can outsource disruption without technical skill. Vendors get paid while still claiming, you know, justification, legit, legitimacy, and where we are in an ever polarizing world. So, whenever something's disrupted, it gets attention there. cause becomes a shield for criminal behavior and the sellers profit financially as well as what they're trying to protest against. And it's a low barrier to entry for buyers.

So I'm like a disgruntled employee or an ex employee. I can go hire someone for 200 bucks to One of the companies that I used to work for

So the defense for activism as a service requires an a layered approach. The mitigation techniques are AIdriven anomaly detection, real time monitoring, stronger encryption, cyber security training, and MFA. Something that I've noticed and also that I would encourage organizations to do is creating a threat knowledge base where you have the threat actors that you've been seeing their TTPs, their behavioral patterns and just monitoring on that.

So, we're entering a phase where activism, cyber crime, and influence operations converge. As tooling gets cheaper and more automated, more people will turn to activism as a service for their justification, political or malicious purposes. And defenders need to treat activism as a service, as a technical threat. and narrative weapon. We are predicting that with automation and AI, it will lower the barrier for people to do this and attribution will become harder and activism will continue to blend with cyber crime and cyber mercenary models. Thank you.