US defense officials seeing ‘explosion’ of activity from so-called patriotic hackers
The U.S. government is seeing a major uptick in activity around the globe from people and organizations who are carrying out cyberattacks with the aim of helping their countries but are not working at the behest of governments, according to senior defense officials.
These digital fighters have been dubbed “patriotic hackers.”
“We’ve seen an explosion in patriotic hackers. We’ve seen it in the Russia-Ukraine crisis, we’ve seen it in China, we’ve seen DDoS [distributed denial of service] as kind of a tool of choice there. And certainly, we think … that’s going to continue,” a senior defense official told reporters during a Defense Writers Group meeting on Friday under the condition of anonymity.
Overall, there have been thousands of cyberattacks conducted during the Ukraine-Russia war by various parties. Since the Russian invasion last year, the United States and Ukraine have shared “thousands” of indicators of compromise (IOCs) so that they can be blocked, according to the official.
“This gets back to the patriotic hacktivist piece of this. You know, it’s not just the traditional intel services [that are involved in cyberattacks], it is these various other organizations that have materialized,” the official said.
The Pro-Russia KillNet group is one example, they noted.
“They might coordinate on a social media site that says, you know, ‘Tomorrow we’re gonna attack Company X.’ And they will execute a denial-of-service attack against a series of either U.S. or European companies that they believe in some way, shape, or form might be contributing to the Ukraine war effort against Russia,” the senior U.S. defense official explained.
But pro-Russian hackers aren’t the only people conducting non-state sponsored cyber ops.
“We’ve certainly seen Ukrainian patriotic groups, we have at times seen Chinese patriotic groups that will execute DDoS attacks and information operations,” the senior U.S. defense official said.
While some hacker groups are being directed by governments, others are not — a dynamic that can make attribution more challenging in the murky world of cyberspace.
“We have seen malicious cyber actors that work for country X, who will also moonlight as a ransomware actor … or they will steal data that they intend to use for their own personal profit — and that business has been going on forever. What is new is this sort of third leg where we see hacktivists organizations that will execute operations that appear to be in support of whatever government X is trying to accomplish — and attribution is always really, really difficult,” the U.S. defense official said. “Acting in the interest of vice acting at the direction of [a government], are two very different things.”
One factor fueling this trend is that there are low barriers to entry in cyberspace.
“There’s a lot of capabilities people can download off the internet. They can employ them, they can use them. And that’s part of our what we live through is how do we effectively build resilience … as people come on board,” another senior U.S. defense official told reporters at the Defense Writers Group meeting.
“It could be a nation-state that’s really well-resourced. It can be criminal actors. It could be people who are [just independently] inspired to take action and they can employ that. So that’s our job is to make sure one, which are the ones that actually present a threat to our national security and how do we actually pursue those foreign actors that are doing that? And then how do we make sure when we talk about our role of defending the DODIN … how do we make sure that we build in the right security and resilience in those networks so that that is protected against that?” the official added.
Some patriotic hackers aren’t very effective and they sometimes exaggerate their impact, the other senior defense official noted.
“A lot of times they don’t actually ever execute an operation. They just post something that said they did … But again, part of it is it’s an information war, right. And for them to get that information out and for them to get it amplified in Western media — it’s a victory for them even though they didn’t do anything, or what they did was actually, you know, subpar. You know it actually demonstrated a lack of capability vice a real capability,” the official said.
But just because some patriotic hackers aren’t potent doesn’t mean the overall trend should be ignored.
“We don’t have the luxury of not taking the threat from patriotic hackers seriously,” the senior defense official said.
The 2021 Colonial Pipeline incident is an example of how a non-state group or individuals can carry out a significant attack against the U.S. homeland, they noted, although that incident was a ransomware attack.
The U.S. is also concerned that patriotic hackers could start or escalate a crisis.
“Miscalculation is something that we’re always very, very concerned about,” the senior defense official said. “From a U.S. standpoint, you know, we try and execute specific, targeted, controlled cyber operations in order to defend the United States. Generally, patriotic hackers or hackers in general, or some other nation-states, don’t operate like that. And so we’re always worried that some patriotic hacker is going to execute an operation somewhere that causes some level of escalation that’s … not in the best interest of the United States, allies and partners,” the senior defense official told reporters.