Full Report
Forescout Technologies Inc. analyzed 780 hacktivist attacks in 2024, claimed by four groups active on opposing sides of the... The post Forescout reports rise of state-sponsored hacktivism, as geopolitics rewrites cyber threat landscape appeared first on Industrial Cyber.
Analysis Summary
# Threat Actor: Hacktivist Groups (General Trend Analysis)
## Attribution & Identity
The article summarizes activity from four specific hacktivist groups active during 2024: **BlackJack**, **Handala Group**, **Indian Cyber Force**, and **NoName057(16)**, operating across the Russia-Ukraine and Israel-Palestine conflicts.
The analysis also identifies state-linked groups:
* **CyberAv3ngers:** Believed to be affiliated with the Iranian military.
* **Cyber Army of Russia:** Linked to **Sandworm** (a unit of the Russian GRU).
* **Predatory Sparrow:** Believed by many to be linked to Israel, claiming to oppose the Iranian regime.
* **Karma Power** and **The Malek Team:** Iranian groups targeting Israeli infrastructure, suspected of ties to Iran’s Ministry of Intelligence or the IRGC.
The overarching theme is the blurring line between independent hacktivism and **state-sponsored cyber operations**, offering nation-states plausible deniability.
## Activity Summary
Forescout analyzed 780 hacktivist attacks in 2024. Hacktivism has surged since the escalations of the Russia-Ukraine and Israel-Palestine conflicts. A key activity trend observed is the targeting of **Operational Technology (OT)** and **Industrial Control Systems (ICS)**, with at least 36 such attacks noted between November 2023 and April 2024, primarily targeting water utilities, healthcare, energy, and manufacturing. While DDoS remains the primary method, groups are adopting more sophisticated and destructive methods like ransomware and disruption-focused attacks.
## Tactics, Techniques & Procedures
- Distributed Denial of Service (DDoS) attacks on websites (Primary method).
- Website defacements.
- Data leaks.
- Adoption of more sophisticated methods, including ransomware and targeted disruption of critical systems (emerging trend).
- Low barrier to entry due to tool accessibility.
* *MITRE ATT&CK IDs were not explicitly mentioned in relation to specific groups, but general TTPs align with Impact and Denial of Service tactics.*
## Targeting
- **Sectors:** Critical infrastructure, Government, Military, Transportation and Logistics (over one-fifth of attacks), Financial Services, Telecommunications, Energy, Manufacturing, Water Utilities, and Healthcare.
- **Geography:** Global, with specific mention of attacks targeting U.S. OT/ICS environments.
- **Victims:** U.S. water and wastewater facilities, general critical infrastructure installations.
## Tools & Infrastructure
- **Malware families used:** Ransomware was noted as an emerging tactic.
- **Infrastructure (C2, domains, IPs):** No specific C2 infrastructure, domains, or IPs were defanged and listed for the umbrella group summary.
## Implications
Hacktivism is evolving into a strategic tool of hybrid warfare, used by nation-states for espionage, disinformation, and critical infrastructure attacks. This trend provides nation-states with **plausible deniability** and makes attribution extremely difficult due to the collaboration between independent activists, state-backed groups, and faketivists. Hacktivist campaigns are increasingly significant in **information warfare** aimed at shaping public perception and eroding trust in institutions.
## Mitigations
- Harden IoT and OT security by patching vulnerabilities and changing default passwords.
- Avoid directly exposing IoT and OT devices to the internet; use secure remote access practices (per CISA guidelines).
- Implement robust **network segmentation** to isolate IT, IoT, and OT networks, preventing lateral movement.
- Enhance **monitoring and threat detection** (especially network traffic) to identify anomalies indicative of botnet co-option or DDoS preparation.
- Conduct regular stress testing for preparedness.