Hospitals, Airports, and Telcos — Modern Approach to Attributing Hacktivism Attacks

On December 12th, millions of Ukrainians trying to connect on Kyivstar's mobile and internet services were met with silence. The outage, it turned out, was no accident, but a carefully planned attack that had been brewing for months. One day later, a message saying “We take full responsibility for the cyber attack on Kyivstar” appeared on social media accounts belonging to a group calling itself ‘Solntsepek’.

“We attacked Kyivstar because the company provides communications to the Armed Forces of Ukraine” the message continued. The Ukrainian users found themselves an audience of another hacking stunt in the ongoing war that started with the Russian invasion of Ukraine. Almost one month later, the pro-Ukraine hacker group “BlackJack” claimed to have breached the Russian internet provider M9com as revenge for the Kyivstar attack.

These attacks demonstrate a rising trend where groups, ostensibly state-sponsored yet posing as hacktivists, execute cyber and influence operations. This approach provides plausible deniability and an appearance of legitimacy, avoiding the direct implications of government involvement. These actors, often using various group names, leverage grassroots facades for anonymity and to minimize international backlash.

But what if the inflation in the trend is its weakest point? This is where yet another trendy topic comes in handy— Machine Learning (And yes, AI as well). We analyzed thousands of public messages from Hacktivist groups in Europe and the Middle East and combined classic Cyber threat-intelligence practices with modern ML models to learn about their motives over time and more importantly — tie some of these groups together and improve the way we do attribution when it comes to Hacktivism.