WASHINGTON — Early last year, hackers launched a cyberattack against the state of Michigan’s main website to draw attention to the Flint water crisis. In May, they targeted North Carolina government websites to protest a controversial state law requiring transgender people to use bathrooms that match the sex on their birth certificate. And in July, they took aim at the city of Baton Rouge, Louisiana’s website after the fatal police shooting of a black man.
It’s called “hacktivism,” a blend of hacking and activism for a political or social cause, and state and local governments are increasingly finding themselves targets. Unlike cybercriminals who hack into computer networks to steal data for the cash, most hacktivists aren’t doing it for the dollars. They’re individuals or groups of hackers who band together and see themselves as fighting injustice.
“It’s digital disobedience. It’s hacking for a cause,” said Dan Lohrmann, chief security officer for Security Mentor, a national security training firm that works with states.
Hacktivists have gone after everyone from foreign governments and corporations to drug dealers and pedophiles. Police departments, hospitals, small towns, big cities and states also have come under attack.
Online activists have successfully frozen government servers, defaced websites, and hacked into data or email and released it online.
“Some take this as being harmless and think it’s another form of protest,” said Doug Robinson, executive director of the National Association of State Chief Information Officers. “But it can be highly disruptive. It’s criminal trespassing.”
Robinson said he has seen a “significant growth” in the number and severity of hacktivist attacks on state and local governments in the past five years. For the public, it can mean being unable to log on to government websites to get information or conduct business. And for taxpayers, it can mean having to pick up the tab for staff time and additional technology needed to combat such attacks.
When Baltimore was rocked by protests over Freddie Gray’s death from injuries sustained while in police custody in April 2015, for example, hacktivists knocked out the city’s main website that gives the public information about government services for at least 16 hours.
“Hacktivists are almost like vigilantes. They’re looking to disrupt,” said Brian Calkin, a vice president of the Multi-State Information Sharing and Analysis Center, a federally funded group that tracks cybersecurity issues for states and local governments.
Calkin said his group tracked 65 hacktivist incidents involving state and local governments in 2015; the number jumped to 160 last year. And a 2014 survey of state information technology security officials listed hacktivism as one of their top three cyber concerns.
“Hacktivism is becoming more and more of a serious issue,” said Srini Subramanian, a state cybersecurity principal at the consulting firm Deloitte & Touche LLP.
Subramanian said hacktivists don’t just want to disrupt services; they also want to undermine public trust. “That is what is going to move the hacktivists to continue to do this.”
Hacktivists are an amorphous group. While some may be individuals unhappy with a perceived social injustice, many are linked to loosely associated networks such as Anonymous, a major hacktivist group responsible for attacking government, corporate and religious websites.
Anonymous describes itself on its website as a “relatively small vigilante cyber group” that has “expanded and transformed into a continuation of the Civil-Rights movement.”
Hacktivists use various tools: Sometimes, they hack into private email or confidential records and make them public. Sometimes, they compile personal information about targets such as police officers from the internet or government record breaches and post it online, which is called “doxing” (a derivative of “docs,” slang for documents). The information can include a person’s home address, phone number and even the names of his children. Hacktivists see it as transparency; security experts see it as harassment.
Often, hacktivists launch “denial-of-service” attacks, in which they try to knock a website offline by flooding it with traffic. To do that, they take control of a large group of computers — sometimes tens of thousands or more — using malware that unsuspecting people have launched on their home or office computers by clicking on an email with an attachment or a link to a website. The hacktivists then control the so-called “zombie” computers and direct them to bombard a specific website with traffic at the same time, causing it to freeze.
“A given website can only handle so many visitors,” Calkin said. “When you exceed that number, the server will crash. When you keep that attack up, there’s no way to recover it while it’s happening.”
If a government computer system doesn’t have the protections to block such attacks, a website can be knocked offline anywhere from several minutes to 24 hours or longer.
Experts generally don’t consider cyberespionage by foreign governments or intelligence agencies to be hacktivism. But some do include groups such as WikiLeaks, an international organization that publishes secret or classified information, some of which has been hacked by others with political or social agendas.
“Hacktivism isn’t just about crashing systems or bringing down websites,” Lohrmann said. “It’s hacking to achieve the ends of social or political causes. It could be stealing information or publishing information to embarrass or discredit people.”
Some hacktivist attacks have been successful; others haven’t.
In North Carolina, the May attacks over the transgender bathroom law were a bust because the state’s main websites continued to operate normally during and after the attacks, said Katie Diefes, a state Department of Information Technology spokeswoman. The only websites affected were some older ones that simply redirected users to the main ones.
Hacktivists were more successful when they sounded off against the fatal police shooting of Michael Brown, an unarmed black teenager, Aug. 9, 2014, in Ferguson, Missouri, which prompted protests and riots.
Within a week of Brown’s death, Anonymous began its assault, using denial of service tactics and doxing high-level state, local and law enforcement officials, said Michael Roling, the state’s chief information security officer. The group targeted the state’s main website as well as those of the revenue and public safety departments.
While IT staff was quick to launch its defenses and help blunt the attacks, Roling said state websites suffered brief outages in August 2014 and again three months later, after a grand jury decided not to indict the officer who shot Brown. “Fortunately, we were able to get controls in place before they had the opportunity to do damage or affect the delivery of state services,” he said.
But Roling noted that his team worked for weeks defending the state’s computer network against hacktivists. And it came at a cost: at least $150,000 for services to protect the network.
“We have the resources, but we’ve seen some local governments across the country that don’t have the funding or have no way of quickly procuring services to fight these attacks, and their services are knocked offline,” Roling said.
Cybersecurity experts warn that state and local governments need to prepare to fight all sorts of online attacks, including those by cyber activists. Calkin said his group recommends that if government computer systems aren’t equipped to handle hacktivist attacks, officials should work with their internet providers to install programs that help block illegitimate web traffic.
Or they can turn to global cybersecurity companies that offer services to combat massive assaults and scrub out “bad” traffic headed toward websites while keeping “good” traffic.
That’s what Minnesota did, said Christopher Buse, the state’s chief information security officer. “We’re seeing more of these attacks than ever,” he said. “They’re bigger and they’re becoming more complex and more costly to defend.”