Which Hacker Groups Give Warning of Cyber Attacks?

We’ve previously considered media impact as a success criterion for hackers. This led us to report the most media-savvy hacktivists. In their respective ways, groups like the Syrian Electronic Army, An0nGhost, and RedHack excel at garnering attention for their causes.

In this post, we’ll show which of those hacker groups typically give warning of attacks versus those that prefer the element of surprise. We did this by measuring the number of future event references related hacker groups collected by Recorded Future.

The above tweets were posted (November 9) three days prior to a coordinated cyber campaign (November 12) and related protests (November 22) at the Western Hemisphere Institute for Security Cooperation, formerly known as the US Army School of the Americas.

We measured data from the 350,000+ public web sources analyzed by Recorded Future to determine which hacker organizations forewarn action, such as Anonymous in the above example, and which typically give no warning of planned attacks. The results from a four and a half year period (Jan 1, 2009-July 31, 2013) can be seen below:

The above graphic describes groups with the greatest number of cyber attacks at the top to groups with the fewest at the bottom of the graphic; groups with forewarned cyber attacks are in the left column while groups with no history of forewarning attacks are on the right.

Hackers Giving Early Warning

Anonymous and its various regional affiliates are prominently represented in the results. They regularly recruit and publicly paint targets ahead of operations. We also find An0nGhost, a global collective not directly aligned with Anonymous but similar in its patterns of recruitment and promotion of operations and successes via social media.

The now well-known Al-Qassam Cyber Fighters warned of attacks during the early stages of its Operation Ababil campaign against banks and financial institutions through alternative channels such as Pastebin. Other groups such as the Tunisian Hacker Team achieved niche media attention ahead of attacks via announcements on their Facebook page and the Afghan Cyber Army joined joined forces with different hackers ahead of broad, industry focused campaigns such as OpPetrol.

The methods of attack for this group of actors is predominantly DDoS as the effects of such an attack are magnified by the volume of traffic hacktivists are able to aim at target websites.

The Secret Operations

Some of the most prominent and high impact hacktivist organizations in recent memory are those in the stealth group: Syrian Electronic Army (SEA), RedHack, Iranian Cyber Army, and the Honker Union. Interestingly, this set of actors uses a diverse set of tactics ranging from social engineering to website defacement to trojans used for cyberespionage.

Explicit indication of intentions are less likely from organizations in this category. So, as a threat intelligence analyst, what can we do to better assess risk from these groups? We’ve floated a few ideas on this blog, and hope you can suggest further action in the comments. A few thoughts on seeking less obvious signals for cyber attacks:

• Temporal patterns of hackers: We know some hacker groups act more frequently on particular days of the week. Think the “hacker work week” that leads us to understand the SEA typically acts on Mondays and Tuesdays. We also know that certain groups appear to coordinate their activity and targeting.
• Response to “physical” conflict: We know hackers co-opt political protests or conflict that typically start on the ground. Activity by groups such as RedHack and HighTech Brazil HackTeam bubbles up soon after the emergence of political dissent.
• Novel targeting: We know hackers will often test new methods on low visibility targets to establish viability of a particular method. Monitoring for changes in targeting, such as the SEA’s shift to hacking communication technologies, can expand awareness of potential threat surface area.

Final Thoughts and Monitoring

A significant question that remains after this analysis is: Why would hackers leak their targets or intentions?

One reason returns us to a previous subject: media attention is a win. Publicly coordinating a  campaign on social media channels by churning out hashtags and content aimed at media organizations while simultaneously calling out high value targets results in alarm bells.

Alternatively, propaganda and threats against organizations are tactics for effecting change while also serving as recruitment for more complex operations or support in DDoS attacks. A final consideration is the potential impact of misinformation and deception in cyber campaigns.

We at Recorded Future provide tools and data that can support threat intelligence teams improve situational awareness and risk assessment. Leave us a note in the comments with your thoughts and experiences on monitoring explicit threats in the open source or surfacing threat signals that indicate elevated exposure to cyber attacks.