Cybercrime takes on many forms, but one of the long-standing tactics attackers use is web defacement—the act of compromising and vandalizing a website. Typically, these attackers—known as web defacers—replace the original page with their own content, boldly stating a political or social message. This is not a new phenomenon, but it is an enduring one. We’ve analyzed data that goes back almost two decades, and we’ve seen how the process of web defacement is still being used nowadays.
While previous research focused on detecting these attacks, the reasons or motivations behind them were unexplored. Hacktivists represent part of the problem since they use web defacement to promote their specific agendas, but defacers can have many different motivations. This is what our research focused on—the events that trigger web defacements and the methods the defacers use. We examined over 13 million web defacement reports across different continents. And using machine learning, we gathered, analyzed, and clustered these reports to gain more insight into the patterns of these defacements.
The Causes of Web Defacements
It comes as no surprise that geopolitical conflicts often leak into the digital world. Our research showed that hacktivist web defacement is typically caused by a political event or active conflict. We identified different notable web defacement “campaigns” involving defacements that are not single instances but have both momentum and support from different defacers.
Most of the campaigns can be linked to intense political conflicts that go back decades. Sudden events trigger specific web defacements; the violent Charlie Hebdo attack and the attacks on the city of Aleppo prompted a surge of web defacements.
In some cases, web defacements stem from border conflicts or opposing political views. Several countries around the South China Sea are currently involved in territorial disputes, and defacers attack their rivals in cyberspace. One campaign called “#OpIndia” involved border disputes between India and its neighbors Bangladesh and Pakistan, while “#OpIsrael” is a modern iteration of a dispute between Israel and Palestine dating back to the 1940s.
Defacement Groups and their Tactics
The groups responsible for these web defacements are varied. They often involve local hackers that unite for a common cause, but sometimes the movement becomes larger and more international. The groups use social media to communicate with each other, gain support for their causes, and organize events.They also share tools with each other. Sometimes they use specific templates for their web defacements, and these are passed around to supporters.
It also goes beyond that. Defacers share other hacking tools and video tutorials, even exploit codes. Their criminal behavior tends to escalate.
The Evolution of Web Defacers
Currently, the majority of defacement groups do not make a profit from their hacking. However, these defacers are continuously compromising websites successfully, and the next stage for any hacker would be to monetize their activities. With the level of access they have to vulnerable sites, it would be easy. They could, for example, put malicious redirections or an exploit code in the defacement pages that would install ransomware on a visitor’s device.
So far, most defacers are focused on ideological pursuits, aiming to make statements instead of money. But we are already seeing examples of how their activities are evolving, such as when Indian hackers reportedly locked Pakistani government employees out of their websites and refused to give back access, even after receiving payment. Apparently, they did this because of patriotic reasons. So we can see that some groups are already escalating into more serious attacks. Hackers who practice defacement could easily slip into more radical, profit-driven activities.
See our research on the subject here.