We have seen a notable increase in hacktivism over the last two years as a result of continuous wars and geopolitical disputes across the globe. Since the start of the conflict against Ukraine, there has been a noticeable mobilization of both state-sponsored and non-state actors, who are either forming new groups or joining already-existing hacker collectives.

Hacktivism is defined as computer hacking carried out in support of political or social activism. Hacktivism comprises activities that use hacking techniques to disrupt but not do substantial harm. Activism refers to a typical, non-disruptive use of the Internet to support a certain cause (online petitions, fundraising, and activity coordination).

Cyberterrorism is the term used to describe cyber operations that have the willingness or intent to cause physical property damage, significant economic injury, or human casualties. The distinctions between participating in hostilities causing significant hurt and damage and carrying out cyber operations under the banner of hacktivism are getting increasingly hazy. Conflicts and warfare are still going on, making cyberspace more chaotic than before. There's a very thin line separating the physical (war) and cyber (hacktivism) battlefields as they become more equal. In the words of Professor Athina Karatzogianni and Dr. Vasileios Karagiannopoulos:

In 2023, we started monitoring a few of the most prominent hacktivist organizations. Visibility is one element that has contributed to the increasing transparency of current hacktivism activity. We can now subscribe to and follow the communication channels used by hacktivists. Hacktivists exploit the popular chat app Telegram for their purposes.

The capacity of abusers to return with a new username, channel name, or account and carry on as usual is a problem that many digital service providers face, despite Telegram's best efforts to combat unwanted activities on its network. Telegram suspended Anonymous Sudan's main channel in September of last year, most likely due to the group's usage of bots rather than their involvement in different cyberattacks. In response to this action, the group said the following:

They made another channel and carried on with their operations. And many other operations that disguised themselves as hacktivism did the same. Hacktivists target both government and private institutions, and as we have seen, these groups are capable of bringing down even the largest national or worldwide websites. While some hacktivist groups are quite vocal about their skills and influence, using language and narrative that is out of proportion to their real action (and impact), others have established powerful DDoS capabilities.

In an already stressful and complex geopolitical setting, the outcome in both situations is Fear, Uncertainty, and Doubt (FUD), or the amplification of anxiety, distrust, and discord. This kind of false information is representative of an ongoing shift toward "cognitive" attacks, which aim to manipulate perception using technological means. The influence is more on how the attacks alter society's perception, discourse, and policy than it is on the disruptive power of the attack or the value of the data or systems that could be impacted.

Hacktivist Activity in 2023

The war against Ukraine was the primary source of the majority of the hacktivism activity that was noticed during the first three quarters of 2023 (n=4016), with Europe being the most affected geographically. We saw how pro-Russian hacktivist organizations consistently presented attacks against "the West" as a shared narrative. As a result, we started keeping an eye on a few of the most active pro-Russian hacktivist groups.

Sweden, Poland, and Ukraine were the nations most affected by pro-Russian hacktivist activities. We have observed the largest amount of hacktivism activity in February 2023. This is consistent with the end of January 2023 saw the formation of the hacktivist collective Anonymous Sudan, which initially focused mostly on the Nordic nations before spreading to other parts of the globe.

It is easy to understand the focus on Ukraine as the application of hacktivism as a weapon in the conflict with Russia. Poland was the second most affected nation, which makes sense given its proximity to the conflict. Since the start of 2022, Sweden has been the nation most affected. But Sweden didn't show up in our data until March 2023, during which time Sweden and Denmark were aggressively targeted by the hacktivist group Anonymous Sudan.

How Well-Coordinated on Politics Are These Groups?

In 2023, two pro-Russian hacktivist groups—NoName057(16) and Anonymous Sudan—affected both the public and private sectors. Threat actor Anonymous Sudan is incredibly erratic. Our observations show they have targeted victims globally, often changing their stated intentions and justifications. The group has demonstrated that, despite their seeming identity issue, they are technically competent in drawing attention to themselves. Nevertheless, despite their high level of action in 2023, their claims frequently outweigh the actual impact of their attacks7. Ultimately, their survival depends on the attention they receive from the media and the general public. NoName057(16) is the other hacktivist group that we have been keeping an eye on in 2023.

Targeting both nations that are thought to be at odds with Russian interests and those that are members of NATO, NoName057(16) has been active since the start of the war against Ukraine. Based on our analysis of the publicly accessible Telegram conversations on the English-speaking channel of NoName057(16) Eng, we conclude that the organization has a direct and particular effect on nations that are aiding Ukraine in the current conflict.

Political Hacktivism as a 'Proportionate' Response

We can connect NoName057(16)'s attacks against the particular countries offering the promised support by using an external dataset that compiles official announcements of countries pledging to support Ukraine.

We use the Kiel Institute for the World Economy's (KIWE) Ukraine support tracker database, which is updated regularly. As of this writing, the institution has been documenting government-to-government (bilateral) promises made to Ukraine by at least 40 different governments since January 24, 2022.

According to the Ukraine support tracker, US aid to Ukraine has been the greatest. In actuality, they have given Ukraine more support than all of the EU combined, despite not having finished the job yet.

Interestingly, a study released accompanying the Ukraine aid tracker database notes that, in addition to the verified aid sent by the individual nations mentioned, the total amount of support delivered to Ukraine may be more than that of previous wars in history. According to the paper:

This is especially intriguing in light of the impression of the high caliber of assistance that news organizations generate. When this assistance is considered from the perspective of the past, the actions of NoName057(16) can seem out of proportion as they seem to follow media patterns. How then does the victimology of NoName057(16) compare to the extent of government assistance as recorded by the Ukraine aid tracker project?

The aforementioned illustrates how varied victimology is about the nations affected. Thus far, NoName057(16) has affected 38 nations since they went live. In 2023 (Q1–Q3), Poland, Lithuania, Czech Republic, Italy, and Spain were the top 5 nations affected. Interestingly, considering that Ukraine is the target nation in the actual conflict, it only ranks #6 on NoName057(16)'s list of victims.

Let's investigate if the Ukraine support tracker database contains a plausible explanation for the victim countries selected by NoName057(16). To do this, we ran an experiment that examines the nations that the Ukraine Support Tracker has flagged. We rate those nations based on the amount of support (measured in billions of USD) that they have committed to providing to Ukraine (as previously visualized). The NoName057(16) country victim list is then superimposed over this, and a ranking is added to indicate who has been attacked the most. We determine the difference in ranking between the two lists using the order of each country in the lists.

According to NoName057(16), a distance of "0" in our experiment might be interpreted as a politically "proportionate" response, meaning that the nation's standing as a victim and its standing in terms of the amount of support provided are comparable. We extend the radius so that the "proportionate" victims are those nations whose distances fall between -4 and 4.

A negative distance indicates that while those nations have pledged to help Ukraine, the number of attacks by NoName057(16) has not increased in line with that commitment. Thus, these nations are underrepresented in the victim statistics for NoName057(16). Positive distance implies the opposite: these nations have not given Ukraine the same level of significant assistance while being repeatedly attacked by NoName057(16). Thus, the NoName057(16) victim data overrepresents these countries.

Identifying the nations that seem "under-attacked," "over-attacked" about the extent of support they have pledged to Ukraine, and those where the intensity of attack might be seen as politically "proportionate" from a hacktivist standpoint are all possible if we examine instances of this logic at both extremes.

However, this knowledge also reveals other categories of nations:

1. Under-attacked and involved: While several nations have pledged their assistance to Ukraine, NoName057(16) attacks have never affected them.
2. These nations include Hungary, Taiwan, Slovenia, South Korea, and Ireland.
3. Overattacked: Compared to the amount of assistance they have provided, several nations seem to have experienced an excessive quantity of attacks. Lithuania, Estonia, Latvia, Italy, Czech Republic, Spain, and Bulgaria are among the nations.
4. Although legally both Iceland and New Zealand are included in this group, their numbers of victims and levels of pledged support are so modest that they are overstated in our study.
5. Proportionate and involved: Attacks have affected Sweden, France, Germany, Finland, Slovakia, Canada, Denmark, and Switzerland, but the number of attacks is rationally proportionate to the amount of aid given to Ukraine. One could consider these nations the main "fronts" in NoName's hacktivist conflict.
6. Technically speaking, the impact on Greece, Croatia, and Luxembourg makes sense because it matches the amount of help given; however, it should be highlighted that these figures are far lower than those of the other nations in this group.
7. Proportionate but uninvolved: A few nations have not shown any support for Ukraine and have not been affected by the attacks in any way. These consist of China, India, Malta, and Cyprus. It is essentially unimportant, but politically "logical" how it affects this group.
8. Under-attacked but heavily engaged: This group consists of the US, Japan, Norway, Netherlands, Portugal, Austria, UK, Romania, Belgium, and Australia, among other nations. Attacks have affected these nations, for sure, but in comparison to the amount of aid they have received, the frequency of attacks is rather low. Because of this, NoName's level of attention to this group is also politically "disproportionate," with the United States appearing to be considerably ahead of other countries in this category. According to the same research, Norway would be the exception in this group, but with the help granted being measured as a percentage of GDP rather than in US dollars.

We note that the majority of the over-attacked nations are located near the conflict, which may be the primary cause of their perceived "unfair treatment." This is consistent with the results of the study that was released alongside the Ukraine support tracker, in which the authors emphasize that Eastern European nations are unique in terms of the assistance given relative to their GDP, particularly when the expenses of housing war refugees are taken into account.

Thus, certain countries may be affected more than is "proportionate" due to physical proximity and the illusion of "hands-on" help. Spain and Italy seem to be the exceptions in this case; they are not located near the war but yet experience high levels of attack despite relatively modest levels of pledged support.

Based on our qualitative observations of the relevant Telegram groups, it appears that NoName057(16) has primarily targeted Spain because of the sanctions they have imposed, as well as the military support and training they have provided.

Similar reasoning appears to be at play with Italy, as well as Spain when an apparent attack occurs as a result of military assistance. NoName057(16) appears to be under the impression that Italy and Spain are significant donors to Ukraine. According to the writers of the Ukraine Support Tracker: "In international comparison, it is puzzling why some rich Western European countries, like France, Italy, or Spain, provide so little bilateral support."

The Bottom Line

In the last few years, there have been several instances where an increase in hacktivism has taken place due to crises around the world, most notably the situation in Ukraine. The distinction between hacktivism and cyberterrorism becomes more hazy as state-sponsored and non-state actors enter the conflict, increasing anxiety and confusion. To effectively navigate this new era of digital warfare, it is imperative to comprehend the goals and effects of hacktivist groups.