Video: 10 Minute IT Jams - Radware examines the DragonForce threat group's hacktivism campaigns
A new wave of hacktivism is sweeping across the Middle East, led by a group calling itself Dragon Force. Cyber security experts warn that, despite using tools and tactics more than a decade old, Dragon Force remains a genuine threat to organisations with unprotected digital assets.
In an interview with Tech Day, Daniel Smith, head of research at cyber security firm Radware, explained the origins and impact of Dragon Force. "They're a renewed hacktivist group," he said. "When I say renewed, I mean hacktivism kind of died out in 2016 with Anonymous. There was a little bit of infighting between the group, and because of that we have seen a void of hacktivists."
Now, Dragon Force has stepped into that void, launching attacks across several sectors in the Middle East this year. The group types itself as the natural successor to earlier hacktivist collectives, but is distinct from Anonymous, despite the Guy Fawkes mask aesthetic. "Anybody can wear the mask, but this is a new group of hacktivists that are reusing the same playbook as before," Smith said.
Although Dragon Force's campaign has been widespread, their technical sophistication often falls short of some other modern cyber threats. "I would say they're quite basic," Smith explained. "When we were watching them and observing their actual campaign, we found that a lot of the members inside the hacktivist group were having trouble running outdated tools. When I say outdated tools, I mean they're using tools that are about a decade old."
Despite this, the group's collective size and sheer persistence mean the threat cannot be dismissed. "They still remain a threat. They're still very organised, there's still a large group of them. So when they do get these tools working, they do pose a certain level of risk to the organisations that they're attacking at the moment," Smith continued. "I wouldn't say that they're super sophisticated like some of the ransomware groups that we're seeing nowadays."
A key feature of the Dragon Force playbook is the use of denial of service (DoS) attacks - a tactic that has been prominent in hacktivist and cyber criminal arsenals for many years. Remarkably, despite the passage of time and improvements in cyber security defences, such attacks remain effective.
"These tools are about a decade old, which is kind of strange to see them still being used and leveraged today," Smith said. "Today at Radware, we're still seeing hundreds of events every month come in against our clients' networks from these type of tools. So yeah, these tools are still very relevant and they're still being used."
Their effectiveness, however, is limited by the defensive measures in place at targeted organisations. "They're only really relevant against unprotected assets," Smith noted. "Of course, you're not going to be able to use LOIC and Hulk to attack these large corporations that have these large robust security solutions. These tools are only going to be able to be leveraged against unprotected assets that are out there, and a lot of times these threat actors are looking for it."
The evolving cyber criminal ecosystem has also shaped how groups like Dragon Force operate and organise online. Whereas some advanced persistent threat (APT) groups have carved out their own forums, Dragon Force has been forced to set up its own after being ejected from existing platforms.
"Back in the day, you know, hack forums and all the other script kiddie kind of forums, they pushed the DDoSers out. They didn't want anybody advertising DDoS attacks or DDoS services; it was causing problems with law enforcement, so admins on these criminal websites began censoring," Smith explained. "It's really strange. We still see it today with ransomware. We see forums banning members that are talking about or advertising ransomware campaigns."
As a result, groups such as Dragon Force have gone independent. "Threat actors are now looking to actually build their own forums where they won't be censored by other admins. What we're seeing with Dragon Force is they actually have their own forum. They're able to communicate and collaborate with each other about ongoing campaigns," Smith said.
This ability to coordinate, share information and improve their methods makes Dragon Force an unpredictable and, in some cases, pernicious adversary - especially for companies and organisations that may not have kept pace with developments in cyber security.
So how can organisations defend themselves against these so-called "basic" but still significant threats?
"It's very tough to protect yourself from hacktivists," Smith admitted. "That's because their campaigns are not very well announced. They come out of nowhere and they're usually reactionary, so it's very hard to be prepared for such a situation."
The answer, he said, is threat intelligence and preparation. "What you need to do is you need to have threat intelligence programmes. They're kind of like a head-on swivel; they're looking around the threat landscape and understanding what social or political issues might cause hacktivists to be reactionary," Smith recommended.
"Activists aren't as big as a threat as they used to be but there is always a lone wolf willing to step up and wear the mask, and that presents a certain level of risk for anybody across the board," he said.
Smith urged organisations to look for robust security solutions with integrated threat intelligence. "We suggest that people, when looking into security solutions, find a robust security solution that also includes threat intelligence programmes so these clients and victims - soon to be victims - cannot be victims, but they can be actually prepared to thwart such attack," he concluded.
"Thank you for having me," Smith ended.
