The line between a hacktivist and a state actor is an increasingly blurry one (Anonymous via wikimedia commons)
The line between a hacktivist and a state actor is an increasingly blurry one (Anonymous via wikimedia commons)

Even last century it was noted that, on the internet, no one knows you are a dog. Online groomers – and blackmailers – purport to be their victim's love interest. TalkTalk was convinced it was subjected to a state level attack, which turned out to be teenagers.

For many organisations, the big deception threat today is government hackers pretending to be concerned hacktivists, leading you to believe your adversary is an individual when it can actually be the cyber-arsenal of an adversary state.

ThreatConnect has come up with a word to describe those fraudsters employed by governments to pursue political objectives online while pretending to be public spirited individuals, calling them faketivists.

I don't know if the word will catch on, but the concept is readily understood.

It's the creation of a fictitious persona to emulate a hacktivist and act as a public-facing mouthpiece to provide plausible deniability and/or leak the information gleaned from advanced persistent threat (APT) operations.

Report author Toni Gidwani, director of research operations at ThreatConnect, says how what most surprised her in the Russian APT breach of the Democratic National Committee was the efforts to “weaponise” that information through a campaign of strategic leaks.

Toni Gidwani, director of research operations at ThreatConnect

She goes on to describe how Russia uses faketivists to complete this “one-two punch” of breaching and leaking by attempting to wear a hacktivist cloak. The fictitious personas and groups claim credit for APT operations and get purloined data into the public domain with a veneer of plausible legitimacy.

CyberCaliphate and CyberBerkut are faketivists FANCY BEAR has used in Europe, and Russia has used faketivists to manipulate public discourse in the run up to the US presidential election, including Guccifer 2.0, DCLeaks, and Anpoland says ThreatConnect.

These fake personas enable a state-sponsored group to maintain plausible deniability while also having the ability to control the terms and timing of stolen information being presented to the public via forums such as WikiLeaks, which are not under their direct control, but enable larger reach than they could achieve themselves.

In this edited extract below, Gidwani presents her findings, noting that the success of the method to date means that there's no reason for the adversary to stop, thus understanding the threat is necessary to defend against it:

In December 2014, a group calling itself the CyberCaliphate appeared out of nowhere claiming to support ISIS and publicly taking responsibility for cyber attacks against a variety of targets including the Twitter accounts of US news stations, U.S. Central Command, Newsweek, as well as the breach of the Warsaw Stock Exchange. The group's most high-profile attack claim came in April 2015 when it took responsibility for commandeering French TV station TV5Monde's programming, social media accounts, and website. Some media outlets linked the group to a British hacker who went to Syria to support the Islamic State, but there is no evidence to suggest that the group was affiliated with ISIS when it first appeared online.

Analysis of the TV5Monde compromise revealed the station's networks were compromised by FANCY BEAR prior to the CyberCaliphate's claimed takeover of the TV station's digital presence. Moreover, FireEye assessed CyberCaliphate was being used as a cover for FANCY BEAR operations. At the time, the CyberCaliphate website was used to publicise information related to the TV5Monde attack was hosted on an IP block that also hosted known FANCY BEAR infrastructure. CyberCaliphate's site also used the same name server and registrar as previously identified FANCY BEAR domains, further evidence of their atypical behaviour and background.

Although the name CyberCaliphate is now in use by hacktivists likely supportive of the Islamic State, this usage did not occur until late 2015 or early 2016, and coincided with a change in language use and infrastructure.

CyberBerkut: Targeting the German parliament, a Ukrainian election and Bellingcat

CyberBerkut claims to be a pro-Russia Ukrainian hacktivist group that is distinctly anti-Kyiv. The group's name references the now disbanded Ukrainian riot police, the Berkut. CyberBerkut emerged in late 2013 and has claimed responsibility for several high-profile cyber-attacks against the German parliament, the Ukrainian Central Election Commission (CEC), and Bellingcat. The cyber-attack against the Ukrainian CEC risked discrediting the results of the country's 2014 presidential election. Ukrainian CERT ultimately discovered FANCY BEAR malware on the CEC servers that CyberBerkut claimed to have hacked.

Also, many of the leaks on CyberBerkut's site are intended to publicly denigrate individuals or organisations that have negatively affected Russia's public image or are otherwise involved with issues of geopolitical importance to Russia. ThreatConnect researched CyberBerkut's activity against Bellingcat and identified potential overlaps with FANCY BEAR targeting and spear phishing operations in its Belling the Bear post. CyberBerkut's targeting focus is consistent with Russian interests and the group claimed responsibility for operations targeting entities also targeted by FANCY BEAR. This suggests CyberBerkut's motivation and purpose are more consistent with a Russia-backed faketivist seeking to affect public opinion in Ukraine.

Hacking the U.S. election

When news of the DNC breach broke in June 2016 Guccifer 2.0 emerged out of thin air and started publishing documents, showing ThreatConnect DCLeaks, and in October Anpoland got in on the action.  The stolen data published by faketivists was most likely intended to manipulate public discourse, weaken the Clinton campaign in particular, and cast doubt on the legitimacy of U.S. political processes and leaders.

Guccifer 2.0: The DNC compromise

Guccifer 2.0 emerged in June 2016 to claim responsibility for the DNC compromise, shortly after Crowdstrike publicly attributed the DNC compromise to two Russian APT groups (COZY and FANCY BEAR). The persona even went so far as to chastise Crowdstrike for attributing the activity to state-sponsored actors in the first place. Read the report here.

The persona, who claimed to be a Romanian hacktivist, released documents stolen from the DNC, corresponded with journalists and media outlets, and published an FAQ about himself. While each of these actions appear intended to build Guccifer 2.0's credibility and validate the persona's claims, evidence linking the actor to Russia-based infrastructure and VPN services and inconsistencies in the actor's behaviour and message over time resulted in the opposite.

Unlike most independent hackers and hacktivists, there is no indication Guccifer 2.0 existed online in any way, shape, or form prior to June 2016. In addition, as discussed in the blog Guccifer 2.0: the Man, the Myth, the Legend?, the actor's explanation regarding how the DNC was compromised does not align with reality. As a further indication of suspect motivation, the Guccifer 2.0 persona has only claimed responsibility for cyber-attacks attributed to Russian state-sponsored APT groups.

DCLeaks: Data publications and connections to Guccifer 2.0

DCLeaks is a website that claims to be a “new level project” launched by “American hacktivists” whose purpose is “to find out and tell you the truth about the US decision-making process as well as about the key elements of American political life.”  The start of authority (SOA) records and the initial name server for the DCLeaks website are consistent with previously observed and identified FANCY BEAR infrastructure. As discussed in the post Does a Bear Leak in the Woods?  Guccifer 2.0 pointed journalists at The Smoking Gun (TSG) to exclusive, password protected content on DCLeaks. This suggests Guccifer 2.0 is involved with the leadership of the site.

In addition to the infrastructure and Guccifer 2.0 consistencies, DCLeaks appeared out of nowhere in April 2016 — shortly after Secureworks identified FANCY BEAR activity targeting the Clinton campaign — and contains profiles for Clinton campaign staffers. Based on these findings and the group's misleading purpose and motivation, we assess that DCLeaks likely is another Russian influence operation, potentially linked to the same people responsible for the Russian Guccifer 2.0 persona.

Anpoland: Focusing on the Olympics, Ukraine, NATO, the US election…but not Poland

Anpoland jumped on the faketivism radar on August 12, 2016 when hackread.com reported files from the World Anti-Doping Agency (WADA) and Court of Arbitration for Sport (CAS) had been hacked and leaked by Anpoland, a group claiming to be an offshoot of Anonymous. Anpoland's Twitter account was established in April 2010, but remained largely inactive until July 2016 when it began posting leaked documents from the Ukrainian Ministry of Internal Affairs. These posts were inconsistent with posts from the legitimate Anonymous Poland organisation.

ThreatConnect originally assessed FANCY BEAR conducted the WADA and CAS attacks based on consistencies with domain registration tactics, but were unable to tie Anpoland to FANCY BEAR with any confidence. Since then, however, additional posts and leaks from the Anpoland Twitter account suggest it is another faketivist mouthpiece. On October 29th, Anpoland began posting documents purportedly from the Bradley Foundation and tweeting anti-Clinton statements suggesting corruption. Some of the Bradley Foundation documents have been assessed to be doctored or fictitious. These leaks underscored that Anpoland's behaviors and motivations are not consistent with Polish hacktivists and were more in line with the messages that other Russian faketivists were seeking to propagate.

What about WikiLeaks?

Russia built a range of dissemination channels to get leaked documents into the public domain: Guccifer 2.0's WordPress site, journalists with whom Guccifer 2.0 communicated directly, and DCLeaks. Yet, the material released through these channels didn't drive headlines.

The two highest impact events were the release of DNC emails emails leading to the resignation of Chairwoman Debbie Wasserman Schultz in July and the release of the John Podesta emails in October. That material was published by WikiLeaks. While not under the control of any state-sponsored actor, ThreatConnect assesses that WikiLeaks in effect serves as a “faketivism facilitator” that provides a viable outlet for state-sponsored actors looking to leak information. State-sponsored actors can provide WikiLeaks a subset of the information they've stolen through cyber-operations that supports a desired narrative. In this case, Guccifer 2.0 complained in his interactions with journalists that WikiLeaks was taking too long to share the documents provided and claimed credit as the source of the July DNC WikiLeaks dump. Compared to a home-grown and controlled faketivist, WikiLeaks has a much wider audience: 4.1 million Twitter followers compared to 44.5k for Guccifer 2.0 and 12.2k for DCLeaks.  

Learning to spot a wolf in hacktivist clothing


Faketivists use similar slogans, imagery, and mantras compared to hacktivists. They also attempt to exploit the decentralised nature of hacktivist groups to explain away their lack of backstory and muddy the attribution debate. Hacktivists tend to come together to conduct an operation because they frequent the same hacker forums and communication channels, although the coalition of individual participants can vary from operation to operation. In addition to comradery, those forums also promote the diffusion of tactics, techniques, and procedures across different hacktivists.

The combination of social cause and decentralisation make faketivism attractive. However, they display distinct differences from real hacktivists in four pivotal areas – motivation, purpose, leadership, and behaviour.

Conclusion: This is going to continue

Changing the adversary's cost-benefit calculation for undertaking this type of activity is fundamentally a geopolitical concern, not a technical one. ThreatConnect's view is that  faketivism will continue because it offers a lot of advantages from the adversary's perspective:

·   Even if faketivist efforts weren't decisive, the election outcome was consistent with their desired end state and (as far as we can tell) has not resulted in harsh blowback

·   Faketivists are a low cost way to pollute the information environment

·   Faketivist personas don't have to be perfect, they can just be “good enough”

What we've seen unfold in the U.S. in 2016 could serve as a playbook for meddling in other elections. Looking ahead, the electoral calendar in Europe offers some tempting targets and the German government is already concerned about Russian attempts to manipulate their 2017 elections.

It's not enough to assume there are faketivists around every corner. ThreatConnect offers this framework to help identify differences between faketivists and the hacktivists they seek to imitate. This dynamic also has significant implications for cyber-security professionals as the motivations, capabilities, and the goals of the two groups' operations vary significantly.

An organisation that discovers that it has drawn the ire of a hacktivist because of perceived slights that contradict the hacktivist's ideals may have to deal with one-off opportunistic website defacements or denial of service operations. An organisation that is involved with a notable geopolitical issue and discovers it is dealing with a faketivist will instead have to deal with an APT's arsenal, capabilities, and persistence. Knowing and understanding the differences between these and other threat actor types can provide the necessary strategic intelligence that cybersecurity professionals can leverage when putting defensive measures in place.