Having a hacktivism ethos while mitigating unethical sabotage

He sits at his computer, under the thrall of drum and bass, intent on malicious keystrokes while searching patiently for a way into a computer system. In his world, there are no victims. Only uncovered opportunities and those missed. But it's all for a greater purpose.

A just cause.

He finds his way into an unsecured Remote Desktop in a foreign country. After gaining access to the user’s desktop, he moves quickly to patch the system, allowing for multiple Remote Desktop sessions, so the next time he logs in, the user won’t be booted from their session.

In truth, it doesn’t matter. His goal is simply to crash the target system with malware. There shouldn’t be any virus definitions that will flag the file and quarantine it. This is only half the fun. Because once the payload is unleashed, this hacktivist is going to laugh at their poor security and justify the attack altogether.

“If they didn’t want me to break in, they should have taken their security seriously,” he says. It’s as simple as that.

This attack happened 16 years ago.

The hacktivist in question was me, and the target itself was completely out-of-scope. This shouldn’t surprise anyone on the underground scene because, ostensibly, most compromised targets aren’t in tune with our objectives.

The double-edged sword of hacktivism

It took me serving over a decade in federal prison as the first person in US history convicted for corrupting industrial control systems to reflect on my cyberattacks, understand the ramifications of all the out-of-scope attacks I launched, and consider the impact on victims. Especially as a hacktivist.

In truth, I was a self-described hacktivist. But I argue that every hacktivist is also a black hat by nature. Hacktivists commit cybercrimes as an act of political activism, whereas black hats typically commit their intrusions for self-gratification. Furthermore, there is a gray area where a crossing over between the two exists.

If you were to run a Google search for the definition of hacktivism, you would uncover various answers. On one hand, it can be defined as the abuse of a protected computer system, generally through hacking, as an act of activism to expose injustice.

On the other hand, hacktivists are motivated by a strong sense of civil disobedience and are custom to sharing their own ideology. The culmination of these ingredients, coupled with cyberattacks, makes hacktivists the equivalent of a modern-day Robin Hood, wielding incredible social influence, steering policy, and, of course, justice itself.

The other side of this equation is that the culture of hacktivism largely ignores the consequences of its own actions relating to off-target cyberattacks, while at the same time demanding accountability from governments, corporations, and individuals they deem to be guilty.

Driven by a strong wind of mob mentality, there is a global “call-to-arms” which is chiefly sent forth over social media platforms in the form of memes, with little to no evidence in support of why the target is guilty and must be punished.

Due to a lack of fact-checking, many hacktivists end up spreading false news, adding to the viral news hysteria. It doesn’t help that hackers have been known to deliberately spread false news in an effort to shape public perception, through hijacking prominent social media accounts and hacking news websites to spread disinformation.

Additionally, mainstream hacktivists are propagating a culture that has become obsessed with the idea of justice, but doesn’t really have a plan for how to define and carry it out beyond a “seek-and-destroy” mentality. When its participants characterize the role of judge, jury, and executor in their quest for change, we’ve unwittingly created a practice of “attack now, ask questions later.” These are characteristics that will hopefully change so that they no longer mirror the tactics of the very corrupt entities we fight against.

While times have changed since my hacking days, the sophistication of cyberattacks has evolved exponentially, though the nature of hackers themselves arguably remains the same.

I say this because, while monitoring hacktivist operations like #OpRussia, #OpIran, and others, I was a witness to more cyberattacks that were out-of-scope with the goals of the operation, but were still celebrated as successful attacks in the name of the op.

Let me break this down further. Ultimately, what many hacktivists have been doing is attacking infrastructure, businesses, schools, and private citizens whose only affiliation to the target of the op is the unfortunate circumstance of having an IP address in the same country as the target.

This means that an unknown amount of non-targets have been attacked in the name of an op, which is chalked up as collateral damage if that distinction is made at all. What does this mean for hacktivists? It simply means that hacking groups are allowing a kind of mob mentality to rule without any checks and balances to protect the innocent from the warpath of misguided individuals who don’t always apply critical thinking.

New objective: mitigating unethical sabotage

During the course of #OpRussia, some hackers were targeting a university in Russia that was part of an international conglomerate of scientists studying the Big Bang Theory. Their goal was simply to destroy the data, erase any backups and ultimately crash the servers. Somehow this was going to send a message to Vladimir Putin and the corrupt government regime.

This attack didn’t sit well with some of the other members of the group, but knowing that the mob wasn’t going to view the university as a non-target after investing countless hours trying to break in, they decided to take the initiative and warn them of the incoming attack. The idea was to mitigate the attack by helping them to prepare for it and avoid the involvement of legal authorities. Could it be done? And most importantly, was looking out for this university our responsibility?

If it’s the duty of mainstream hacktivists to expose the guilty and protect the innocent, then yes.

Ultimately, we failed to make contact in time, and the files on those systems were destroyed in the name of punishing Putin. Of course, the two aren’t related. But tell that to the actors of the mob mentality. After all, at this time within the global theater, Russia had declared war on Ukraine, and cancel culture against Russian people was sweeping across the world.

I digress. The intervention by these hacktivists became an idea that extended to watching other hacktivist operations not only in the ranks of the initial group that took action against the ensuing unethical sabotage but also in different groups. We suddenly had a new task in our quest for cyberactivism: fighting to eliminate collateral damage to innocent victims.

An ideology redefined

For most of the years I’ve spent behind a computer, participating in some form of global cyberactivism, I made a lot of excuses in order to justify the cyberattacks. If I had invested in a target where searching for a vulnerability took me multiple consecutive days before I could identify it and exploit it, only to finally gain access and realize it was a non-target, I had to proceed with the hack for the sake of the time spent.

This is simply a backward attitude. Because if hacktivists apply critical thinking to scenarios like the above, it becomes obvious that they aren’t in line with the goals or virtues of hacktivism. We lose the moral high ground to our cause and ultimately behave with the same corrupted characteristics as the very governments we strive to expose. Regardless of the time invested, protecting the innocent is never time lost.

Disengaging from non-targets and leaving those systems intact is of vital importance. There is no greater good or a necessary evil in the victimization of the innocent during our conquest to expose injustice. Oftentimes we hide behind our own self-righteousness and alter the narrative of what really happened because we want to be the symbol of hope people believe in. The excuses we make are probably close to the same lies that corrupt entities tell themselves.

We must fight to create a better version of ourselves. We can achieve this by eliminating the possibility of causing collateral damage to non-targets. In order for this to happen, hacktivists must enact a policy that clearly defines what is permissible and what is forbidden and then take the necessary steps to enforce it.

Additionally, moving in front of cyberattacks by contacting targeted companies and offering assistance or advice to help mitigate those attacks should be adopted as a practice in protecting the innocent.