Hacktivism has been around for decades, from the likes of Anonymous to the state-backed groups operating in response to the Russo-Ukrainian conflict, and their goals have always been the same, while their motivations may vary.
Hacktivist groups aim to disrupt and misinform on a large scale, causing chaos for businesses, governments, and other organisations. Unlike a typical cybercrime outfit or ransomware group they are not motivated financially but politically and socially, and as an ally of major world powers and one of the biggest economies in the Southern Hemisphere, Australia has come under fire more and more.
These groups garner attention typically through breaches and data leaks, intending to cause chaos and spread misinformation by collating false leaks or misrepresented breaches. The ‘normal’ mode of operation for hacktivist groups is DDoS attacks and website defacement, which often brings less attention but fits their primary goal – disruption. The result is usually minor, but when it is reported, it gives the groups the attention they desire.
Within the past two years since the beginning of the conflict in Ukraine, hacktivist groups have slowly been increasing their capabilities. Several groups have been attributed to either be run by or closely aligned with major Advanced Persistent Threats (APTs) sponsored by foreign countries such as Russia or Iran. As a significant Western power and a close ally of NATO, Australia’s target level has risen as new conflicts have shaken the balance of the global community.
Pro-Russian hacktivists active on Telegram had their campaigns and moderators attributed to APT28 by Mandiant several months into the war in Ukraine (later in 2024 corrected as APT44 aka Sandworm Team).
These groups (including Xaknet Team, Cyber Army of Russia, and their subsequent revisions) led large-scale campaigns against Western targets, including Australian business and government entities. Within these campaigns against Australia, we observed ransomware and wiper malware, including CADDYWIPER, that are used by hacktivists to cause greater damage than the typical DDoS attack.
After the October 7th attacks escalated the Israel-Palestine conflict, dozens of groups operating out of the Middle East, Indonesia, and parts of Africa launched attacks against NATO members, allies, and Israel-aligned countries, again bringing Australia into the line of fire.
Cyber Toufan, another hacktivist outfit attributed by several researchers as linked to the Iranian military and government, conducted a series of attacks resulting in data breaches for several Australian companies – demonstrating another alarming increase in capability, now from many fronts.
As the capabilities of these loosely aligned groups have increased, their volume of attacks and penchant for information warfare have risen tenfold. Indonesian-language groups operating from a pro-Palestinian standpoint have maintained significant pressure on Australian organisations through alleged breaches alongside DDoS attacks and defacement.
A large number of breaches have been proven to be false, but not before causing widespread chaos and misinformation among the affiliates, suppliers, and customers of these organisations.
The need for situational awareness and the consumption of strategic intelligence is now undeniable more than ever. Australian businesses and organisations can benefit greatly from understanding their exposure on cybercrime forums, the dark net, and Telegram, as well as learning more about the threat landscape and how it is shaped by global events.
It is common to observe dark net monitoring in the market and credential monitoring positioned as an add-on to standard managed security services. We are challenging that positioning in the market. We believe a comprehensive monitoring solution is required. To address this, we have developed a platform that is baked into our MDR offerings to provide maximum value without the need for additional sub-services.
Australians have been directly impacted by new conflicts overseas, despite having no direct involvement, and have often been named in campaigns such as #OPAU and recent Russian state-backed groups’ declarations to target Australia. By procuring our MDR service, we include in the offering the tools needed to gain visibility on this kind of activity, with dark net monitoring, credential leak detection, and threat intelligence – seamlessly connected into our security-as-code architecture.
Jude Cubby
Senior Analyst
Tarian Cyber
