The “IBM X-Force Threat Intelligence Index 2019” highlighted troubling trends in the cybersecurity landscape, including a rise in vulnerability reporting, cryptojacking attacks and attacks on critical infrastructure organizations. Yet amid all the concern, there is one threat trend that our data suggests has been on the decline: hacktivism — the subversive use of internet-connected devices and networks to promote a political or social agenda.

Looking at IBM X-Force data in the period between 2015 and 2019, our team noted a sharp decrease in publicly disclosed hacktivist attacks. Our data incorporates incidents pulled from established and reliable reporting streams and reveals where a specific group claimed responsibility for the incident and where there is quantifiable damage to the victim. While this data does not capture all cyber incidents — nor all hacktivist attacks that occurred in that period — the decrease in publicly acknowledged hacktivism attacks remains significant since public attribution is a key component in these types of attacks.

In 2016 in particular, hacktivist attacks such as Operation Icarus, which directed distributed denial-of-service (DDoS) attacks at banks worldwide, made headlines several times. Another 2016 attack by the same group was a “declaration of war” on Thai police following the conviction of two Burmese men for the murders of two British backpackers. That operation resulted in the defacement of several Thai police websites. In 2018, the number of reported attacks was much lower, although various groups used similar tactics, including DDoS attacks and the defacement of several government websites in Spain.

We have some theories about the reasons behind this decline — specifically, a decrease in attacks by one core hacking collective and law enforcement acting as a deterrent against hacktivism. Let’s explore these theories in more detail.

Public Hacktivist Attacks Have Dropped Nearly 95 Percent Since 2015

We’ll start by taking a closer look at the numbers. According to X-Force data collected between 2015 and 2019, hacktivist attacks have declined from 35 publicized incidents from our sample in 2015 to five publicized incidents in 2017. In 2018, only two publicized incidents were recorded, a dramatic decline over the past four years. Thus far for 2019, no hacktivist attacks have yet met the criteria to be included in our data set, although we are aware that some hacktivist attacks have occurred.

These numbers show a drop of nearly 95 percent from 2015 to 2018 as attacks from the groups behind the bulk of the 2015–2016 attacks decreased. Most notably, the Anonymous collective and associated groups that identify themselves as Anonymous in different parts of the world perpetrated fewer attacks.

Figure 1: Number of publicized hacktivist attacks (Source: IBM X-Force Data, 2015–2018)

For the hacktivist attacks tracked through our X-Force data, an analysis shows that few hacktivist groups aside from Anonymous have notably dominated the attack landscape over the past four years, with most groups carrying out only one or two attacks and then disappearing for a time.

Several groups struck only once and were never heard from again under the same name. The following figure depicts the number of hacktivist attacks by group from 2015 through 2018. Attacks by Anonymous made up 45 percent of all attacks, a far higher percentage than any other group that kept the same identity over time.

Figure 2: Hacktivist attacks by group (Source X-Force Data, 2015–2018)

Where Have All the Hacktivist Groups Gone?

So how can this decrease in hacktivist attacks from 2015 to 2018 be explained, especially in view of how frequent these sorts of incidents were in previous years?

X-Force researchers have some theories about the changing nature of the hacktivist threat landscape that could have contributed to this decline. Upon examining these theories in light of additional data on hacktivist attacks and activity and law enforcement response, we noted several patterns that might help explain this downward trend.

A Decline in Anonymous Attack Campaigns

A decline in attacks associated with the hacking group Anonymous is one of the principal contributing factors in the overall decline in hacktivist attacks worldwide.

Starting around 2010, Anonymous became one of the most prolific hacktivist groups in the world, reaching a peak of activity in early- to mid-2016, according to IBM X-Force data. Since then, attacks by Anonymous have declined significantly, possibly due to an attrition of key leadership, differences of opinion and a struggle to find an ideological focus.

Some examples of this turmoil were on display during the 2016 US presidential election, which appeared to spark a sharp debate among Anonymous members, one that even spilled over into the public domain. While some members advocated for attacks against candidate websites, others strongly disagreed, arguing that the group does not support a particular political ideology and criticizing proposed attacks as “cringeworthy.”

In addition to differences in viewpoint, several cyber actors have sought to masquerade as Anonymous actors over the past three years, using the moniker in an attempt to legitimize their actions or to tarnish the group’s name by connecting their activities to Anonymous. In early 2016, Anonymous released a video warning about “fake Anons” and claiming that governments and individuals were acting in the name of the group in an attempt to “damage the name of Anonymous and [post] propaganda of their own ideologies,” or profit financially by using the group’s name as clickbait to attract traffic to advertising webpages. Any attempt to decrease the number of fake Anons may have led to a decrease in the number of true Anonymous actors overall.

X-Force data shows that decrease in Anonymous activity, with attacks dropping from eight incidents in 2015 to only one tracked in 2018.

Figure 3: Number of publicized Anonymous hacktivist attacks per year (Source: IBM X-Force Data, 2015–2018)

Legal Deterrence

Arrests and legal warnings issued to hacktivists at large may be acting as an effective deterrent against additional hacktivist activity. X-Force IRIS internal tracking of related arrests revealed that law enforcement agencies in the U.S., U.K. and Turkey have arrested at least 62 hacktivists since 2011. We suspect the actual number is greater than those publicly announced. Three of the arrested hacktivists received sentences in 2018 and 2019, all with prison time of three years or greater, including one with a 10-year prison sentence.

The 10-year sentence — plus a $443,000 fine — was placed on one self-proclaimed Anonymous hacktivist who hit Boston Children’s Hospital with DDoS attacks in 2014 and was arrested in February 2016. Some security practitioners noted that the long sentence had the potential to deter additional attacks.

Another hacktivist arrested in 2011 agreed to become an informant to the FBI, possibly contributing to the demise of his hacking group LulzSec and the arrests of potentially nine other hacktivists. This hacker then served seven months in prison before becoming a legitimate penetration tester.

In January 2017, one software engineer publicly proposed a DDoS attack on the White House’s website as a form of hacktivism. Security experts and law enforcement officials warned that such an act was illegal and would be tracked and punished. In the end, no attacks appeared to have occurred, and there were no reported problems with the White House website that month.

Hacktivism Is a Volatile Tactic

Where are hacktivist attacks likely to go from here? We are reluctant to say that the era of hacktivism has come to an end. Acute social justice issues, greater organizational capabilities among hacktivist groups and a stronger shift to areas that lay beyond the reach of law enforcement all have the potential to dramatically change the face of hacktivism in a relatively short period of time. More likely than not, we are experiencing a lull in hacktivist activity rather than a conclusion.

Hacktivism incidents in 2019 already suggest that this year may see an uptick in attacks, with a scattering of activity from attacks on Saudi newspapers in January to DDoS attacks on Ecuadorian government websites following the arrest of Julian Assange. As of yet, however, these numbers have still not reached the tempo of hacktivist attacks seen in 2015 and 2016.

For the time being, the world appears to be experiencing a relative respite from hacktivist attacks, perhaps freeing defensive resources to focus on more pressing threats, such as malicious actors’ use of PowerShell, Spectre/Meltdown and inadvertent misconfiguration incidents. These ongoing threats, X-Force IRIS predicts, will continue to demand more focus from security teams throughout 2019.