London internet attack highlights confusing hacktivism movement

London internet attack highlights confusing hacktivism movement

A hacktivist group calling itself Anonymous Sudan claimed credit last week for an apparently unsuccessful attack on the London Internet Exchange, or LINX, attributing the action to Britain’s support of Israel. According to a tweet from OSINT research entity CyberKnow, LINX remained operational throughout, and the Anonymous Sudan group “provided less evidence than usual” for its claims.

The group said the prompt for the attack were the recent airstrikes conducted against Iranian-backed Houthi rebels in Yemen, who have used drones and missiles to attack shipping off the coast of that country. “We expected this to be too good of an opportunity for [Anonymous] Sudan not to try and market themselves,” CyberKnow wrote.

Who is Anonymous Sudan?

Reports from cybersecurity companies indicate that Anonymous Sudan may not be purely an ideological anti-Zionist organization. One such report from Cloudflare said that the group has been linked to Killnet, a notorious pro-Russian hacking group. Anonymous Sudan has also been known to issue communications in Russian, and its attack infrastructure is suggestive that the group either originates from that country or is supported by its citizens. The US Department of Health and Human Services’ Office of Information Security describes KillNet as a hacktivist group that has been actively performing DDoS attacks against Ukraine and countries that support it since January 2022.

“Although KillNet’s ties to official Russian government organizations such as the Russian Federal Security Service (FSB) or the Russian Foreign Intelligence Service (SVR) are unconfirmed, the group should be considered a threat to government and critical infrastructure organizations including healthcare,” the OIS report said.

The confusing nature of Anonymous Sudan’s roots – and the murky nature of the most recent attack – is not a surprise, according to experts, who said that the entire hacktivism movement is riddled with misinformation and misdirection. Frank Dickson, group vice president for security and trust at IDC, said that even validating the attribution of some hacktivist activity can be difficult.

Attributing hacktivist attacks tough

“When you talk to the folks that are good at this, the first thing they’ll tell you is that valid attribution is really tough,” Dickson said. “Especially because DDoS is a volumetric attack. Could it have been this group? Sure. Could it have been anyone else? Absolutely.”

Moreover, according to Professor Stuart Masnick of MIT, DDoS and other types of attacks used in hacktivism (most notably wiper attacks, where compromised systems are simply cleansed of all their data) are a “blunt weapon.” They are often hard to track even with access to technical details about a given attack. “If you launch a missile, with the technologies and satellites we have today, we can pretty well tell where the missile was launched from,” said Masnick. “If you launch a cyberattack, if you do a little bit of homework … no one knows where it came from.”

In one case, Masnick recalled, a Russian cyber group compromised an Iranian facility and launched a cyberattack from there, meaning that the evidence pointed back to the Iranian government, not Russia. “If you think you know who the attack came from, most likely you’re wrong,” he said. “Because a really good attacker will leave all the evidence pointing in a different direction.”

For the rank-and-file of businesses, staying secure means understanding their risk levels and maintaining a defense-in-depth. “Because hacktivism has its roots in not just protecting yourself from a [cybersecurity] perspective, but from a geopolitical perspective as well, the first thing just to be aware that someone is upset at you,” said Dickson, noting that larger organizations, and those more intimately involved with national infrastructure, are more likely targets.

Defense in depth key to limiting damage from hacktivism attacks

Masnick said that many of the most damaging cyberattacks in recent years have been as severe as they were because of poor security architecture and misconfiguration – not necessarily due to the skill of the attackers. Defense in depth, ensuring that all systems are hardened against attack, is key to limiting the damage from one system being compromised.

“We’ve done a number of studies of relatively sizeable cyberattacks,” he said. “And the thing we found is that … in most cases, there’s over a dozen things wrong,” not just one or two.

Cyberattacks, DDoS, Hacker Groups

Go to Source