Once dismissed as a relic of the early internet, hacktivism is making a dramatic return. Born in the mid-1990s as a form of online protest, its tactics were the weapon of choice for groups like Anonymous, who took aim at governments and corporations through website defacements and denial-of-service attacks.
Over time, improved cybersecurity measures and crackdowns pushed hacktivism to the fringes, leading many to believe it was a passing phase of digital activism and rebellion.
In the past three years, Google Threat Intelligence (GTIG) has observed the revival and intensification of threat activity from actors leveraging hacktivist tactics and techniques, fuelled by global conflicts such as the full-scale Russian invasion of Ukraine and the Israel-Hamas conflict.
Unlike earlier iterations, which largely focused on anti-establishment ideologies, a new cohort of hacktivist groups has targeted organizations worldwide to achieve geopolitical objectives. They employ a blend of cyber-attacks, information operations and even physical disruptions.
A subset of activity is further complicated by the involvement of state-backed actors, with governments leveraging hacktivist personas to obscure their operations. As hacktivism evolves, organizations must take proactive steps to understand and defend against it.
How Hacktivists Leverage Anonymity and Influence
Today’s hacktivism threat landscape differs from that which we have seen before in the combined scale of the activity and range of actors leveraging hacktivist tactics.
This likely reflects the versatility that hacktivist tactics present through their ability to offer anonymity while merging tools of influence with other forms of cyber threat activity.
While most hacktivist attacks have limited impact, we also see such tactics involved in massive disruptive attacks, compromising networks to leak information, conducting information operations and even tampering with physical world processes.
The actors we describe today as hacktivists blend technical expertise with strategic communication to manipulate public perception. They use personas to obfuscate their real identities and to promote otherwise covert activity and/or manipulate the narratives related to their claimed attacks.
The ability to operate under a veil of anonymity also enables state-sponsored actors to conduct attacks while maintaining plausible deniability.
For organizations, understanding these layered tactics is crucial. Hacktivists employ methods designed to erode trust, whether by leaking internal communications, defacing websites with propaganda or spreading false narratives that cast doubt on a company’s integrity.
The ability to detect and counteract these influence operations requires proactive monitoring of hacktivist messaging.
Organizations Far Removed from Geopolitical Flashpoints Are Still at Risk
It is important to not be complacent when it comes to the hacktivism threat because hacktivists do not limit their attacks to direct stakeholders in conflicts and other major geopolitical flash points.
Instead, they often target organizations with loose associations, such as ties by nationality, commercial relationships or perceived political allegiance. For example, pro-Russian hacktivist groups target not only Ukrainian entities but also organizations in allied and partner nations.
European countries that have offered support for Ukraine have regularly been targeted by various pro-Russia hacktivist groups that conduct retaliatory attacks – most often DDoS attacks.
Meanwhile, some groups conduct intentionally broad campaigns against targets potentially entirely removed from the geopolitical issue they claim to be responding to, with the intent to generate maximum attention for their related messaging vis-a-vis scale.
This broad targeting calculus allows hacktivists to increase their pool of potential victims. Claiming attacks against a larger volume of targets further increases the potential attention hacktivist groups receive for their messaging by exaggerating their impact. Actors can also select high-profile targets, such as prominent companies and organizations providing key services and infrastructure, to increase attention and prestige.
“Governments are leveraging hacktivist personas to advance geopolitical narratives under the guise of grassroots activism”
These tactics even serve less sophisticated actors, whose actual “successes” may otherwise be limited to targeting organizations with weak security postures, insecure public-facing servers or limited DDoS prevention capabilities.
Hacktivism as a Foreign Influence Tool
The resurgence of hacktivism has also renewed its strategic use by state-backed actors. Governments are leveraging hacktivist personas to advance geopolitical narratives under the guise of grassroots activism.
These “hacktivist cutouts” enable states to execute and advertise disruptive operations while maintaining plausible deniability. While the concept of using a hacktivist facade as a front for state-sponsored activity is at least a decade old, we have not previously observed the frequency, volume and intensity of overall hacktivist activity comparable to today.
For example, public sources have indicated nation-state sponsorship for hacktivist groups such as pro-Iran CyberAv3ngers, which the US government has linked to the Islamic Revolutionary Guard Corps (IRGC) and pro-Israel “Gonjeshke Darande” (Predatory Sparrow), which the Iranian government has attributed to Israel.
Russian-sponsored APT44 has meanwhile been observed fostering hacktivist collectives to amplify its strategic messaging, particularly in the wake of the invasion of Ukraine.
In some cases, hacktivist personas are cultivated over time, gaining credibility and influence before being deployed in high-profile operations. Distinguishing between independent hacktivist groups and state-sponsored actors remains a complex challenge.
Proactive Monitoring and Analysis Are Essential for Mitigation
As the scale and complexity of hacktivist activity grows, so too does the noise that organizations must filter through to identify genuine threats. Proactive monitoring of hacktivist activity is therefore key to understanding the motivations, messaging and tactics of hacktivist groups over time.
Tracking active campaigns can also enable defenders to identify early warning signs of potential targeting, then implement a rapid response plan to counteract disinformation or mitigate the impact of a disruptive attack.
The imperative for this is amplified by the fact that the tactics of hacktivism reward groups’ use of mistruths in their messaging. Google Threat Intelligence Group (GTIG) regularly observes hacktivists making exaggerated and/or false claims, almost certainly in an attempt to garner attention and support for their cause.
Analysis of historical claims can often help us assess the credibility of this emerging activity by providing insights into a hacktivist group’s reputation and capabilities.
The Future of Hacktivism
Hacktivism has evolved from an ideological movement into a multifaceted cyber threat with the potential for real-world consequences. As global conflicts and political tensions continue to drive cyber activism, businesses, governments and cybersecurity professionals must remain alert. The new wave of hacktivism necessitates a new level of vigilance.
