Content uploaded by Niek Jan van den Hout
Author content
All content in this area was uploaded by Niek Jan van den Hout on Dec 20, 2018
Content may be subject to copyright.
HACKTIVISM AND WEBSITE DEFACEMENT... ROMAGNA & VAN DEN HOUT
1VIRUS BULLETIN CONFERENCE OCTOBER 2017
HACKTIVISM AND WEBSITE
DEFACEMENT: MOTIVATIONS,
CAPABILITIES AND POTENTIAL
THREATS
Marco Romagna & Niek Jan van den Hout
The Hague University of Applied Sciences,
The Netherlands
Email {m.romagna, n.j.vandenhout}@hhs.nl
ABSTRACT
Hacktivism and website defacement seem often to be linked:
websites are defaced by hacktivists on a daily basis for many
different reasons. However, due to a lack of studies of this
phenomenon, it remains unclear as to what, exactly, their
socio-psychological motivations are, what their modus
operandi is, and whether the combination of these factors
poses a serious threat to corporations and governmental
organizations.
In order to answer these questions, this paper provides a
qualitative analysis of the motives and intentions of
hacktivists, and a qualitative analysis of their modus operandi.
It seems that hacktivists who deface websites have multiple
ideological and psychological motivations for their actions.
Although the socio-political motivations appear to be the most
important, other triggers – such as thrill seeking and increasing
self-esteem – also play a relevant part. The investigation into
the modus operandi has revealed that hacktivists often use
known and relatively unsophisticated vulnerabilities and
techniques. In addition, they use publicly available tools, but
are also able to create their own. Targets seem to be chosen
based either on how easy they are to hack and/or on the
potential amount of attention the defacement is likely to
receive. The methodology of this research involves an
extensive review of the existing literature on the topic,
corroborated by several interviews with hacktivists and experts
in the fi eld of information and cybersecurity. The researchers
conducted an analysis of forensic data gained from a honeypot
server created ad hoc for this research, and examined technical
data from over 7 million defacements based on the dataset of
the Zone-H Defacement Archive.
INTRODUCTION
In March 2017, between Sunday 11 March and Monday 12
March, many Dutch websites were allegedly targeted by
Turkish hacktivists following a political spat between the
Netherlands and Turkey [1]. The trigger for the attacks was the
refusal of the Dutch government to allow Turkish offi cials to
enter the Netherlands in order to rally expat voters for the
upcoming Turkish constitutional referendum (Fox-IT1 [2]). The
campaign became known as the ‘Netherlands Operation’.
Dutch domains were not the only targets of the attackers, who
mainly employed DDoS, website defacements and social
network account defacements as forms of disruption.
1 Fox-IT is a Dutch company, part of NCC Group, that works in the
fi elds of cybersecurity and risk mitigation, and helps businesses to
protect their brand, value and reputation against the ever-evolving
threat landscape.
According to CNBC journalist Arjun Kharpa [3], hundreds of
Twitter accounts, from those of media outlets to those
belonging to celebrities, were hacked and branded with the
Turkish fl ag and messages in Turkish. In its analysis of the
attack, Fox-IT [2] noted that many of the methods and
techniques used were relatively simple and could have been
executed by any person with basic hacking knowledge and
skills.
This episode might lend credence to two hypotheses: 1) the
cybersecurity of many websites is still low, considering the
fact that the methods used for defacement are usually quite
simple. 2) Website defacement still plays a relevant role
among hacktivists, and is one of their favourite tools for
promoting ideological and socio-political goals. As Samuel [4]
noted, a ‘site defacement consists of hacking into a web server
and replacing a web page with a new page bearing [… a
socio2]-political message’. At the time Samuel wrote this, in
2004, there were probably several defacements that targeted
specifi c organizations, as hacktivists wanted to make a
statement, to criticize those precise organizations (normally
corporations or governments) [4].
An early example is an attack against the US Department of
Justice web server that dates back to 1996. In the fi rst known
defacement launched by hacktivists, the protests were directed
against the Communications Decency Act (CDA) with its
provisions for screening offensive material online [5].
Hacktivists reacted in a very provocative way, displaying on
the homepage of the Department the words ‘Department of
Injustice’ and showing pornographic images.
Nowadays, we witness a different tendency: during the
‘Netherlands Operation’, conducted by Turk Hack Team and
by other groups, hacktivists did not limit their defacements to
specifi c websites that could have been connected in some way
with the Dutch-Turkish tensions (such as law enforcement
agencies or government websites), but randomly chose web
pages that were completely unrelated to the political issue (as
long as they were registered as Dutch domains). The situation
was different for the DDoS attacks, where hacktivists hindered
the websites of the Dutch police, some political parties (VVD,
PVV) and media outlets (NOS and The Telegraph) [2]. This
trend seems to be confi rmed in the analysis of the data
provided by the Zone-H Defacement Archive3, and in the
words of some of our interviewees.
Hacktivists now seem more likely to deface any websites with
poor security measures (no matter the topic of the site) in
order to spread a message. It therefore appears that the target
per se is no longer so important, while the visibility
(calculated on the number of defaced websites) represents the
main element. In a way, this becomes even more true when the
defacements are part of larger attacks that fall under the
concept of cyberwar between different countries [4]. An
example is provided by the geo-political Indo-Pakistani
tensions: hacktivists, or so-called state-sponsored hacktivists,
tend to deface any websites with poor security measures
regardless of the content, as long as the domain is Indian (for
Pakistani hacktivists) or Pakistani (for Indian hacktivists). In
2 Words in brackets are ours.
3 Zone-H Defacement Archive (hereafter Zone-H Archive) is a freely
available database that has recorded website defacements since 2001.
The database is open for general consultation at the URL
http://www.zone-h.org/. For specifi c data, the company that manages
the database levies a service charge.
HACKTIVISM AND WEBSITE DEFACEMENT... ROMAGNA & VAN DEN HOUT
2VIRUS BULLETIN CONFERENCE OCTOBER 2017
more spectacular operations, hacktivists attempt to target
government websites, aiming both to make a direct statement
against a government on its web page, and to shame it by
exposing its inability to keep its websites safe.
This paper will attempt to clarify what connections exist
between website defacement and hacktivism, answering the
following questions:
• What is the link between hacktivism and website
defacement?
• What are the motivations and the modus operandi of
hacktivists that engage in website defacement?
• To what extent does website defacement represent a
threat when linked to hacktivism?
The paper is structured in fi ve main parts: fi rst we will explain
what we mean by the terms ‘hacktivism’ and ‘website
defacement’, and how the two are connected. Then we will
describe, step by step, the methodology that has been used to
retrieve data and conduct the investigation. In the third part,
we will provide insights into the motivations that push
hackers in general and hacktivists in particular to engage in
website defacements. In the fourth section we analyse the
modus operandi and the tools used, and fi nally we draw some
conclusions.
CONCEPTUALIZING HACKTIVISM AND
WEBSITE DEFACEMENT
Hacktivism is a complicated phenomenon and it can be
interpreted in different ways [6]. In this paper we borrow part
of the defi nitions provided by Milan ([6], p.550) and Denning
([7], p.241) and we describe it as the sum of ideologies,
individual and collective actions typical of traditional
activism, applied in cyberspace through the use of hacking
techniques, while addressing or exploiting network
infrastructure’s technical and ontological features, with the
fi nal goal of reaching a socio-political change in society.
Looking at the general history of hacktivism, we follow the
path of previous studies and research that mainly identify it as
the sum of group/team operations rather than of single
individuals’ actions [4, 6, 8]. This point is in line with the
traditional organizational structure of activism and it clarifi es
why, in our defi nition, we apply the concept of collective
action given by Melucci ([9], p.43), who describes it as ‘the
result of purposes, resources, and limits, as a purposive
orientation constructed by means of social relationships
within a system of opportunities and constraints’. The role
played by the group has an undeniably important part in
deciding the socio-political approach, the ideological beliefs,
the operational lines and the targets, but as Milan [10] points
out, the individual in hacktivism still has a fundamental
function because the ‘we’ essentially is the sum of the various
self-contained ‘I’s ([10], p.89). The person is still independent
in the group, likely as consequence of the fact that the
technical component (coding and hacking) is primarily based
on individual skills, and the tasks within the group are
assigned mainly considering the technical expertise of each
member ([6], p.556). This is a tendency that also seems to
exist among defacements performed in the name of
hacktivism; our interviewees confi rmed that the operations
per se are likely the result of team work, but that every
member has a specifi c role, a tailored task and a certain
number of domains to target.
The defi nition of website defacement is less debatable than
that of hacktivism, nevertheless there is still some uncertainty,
prompting us to provide our view: for website defacement we
mean the act of disfi guring without authorization a location
on the Internet. On the one hand, we embrace the defi nition
given by Samuel ([4]:8) as an attack on a website that
changes the visual appearance of the whole site or of one or
more web pages; on the other hand, since we deliberately use
the word location in our defi nition, we enlarge the concept
not only to the disfi gurement of a traditional HTML page, but
also to unauthorized changes on social network accounts such
as Facebook or Twitter (as happened during the ‘Netherlands
Operation’). We do understand that the techniques used differ
broadly and that website defacements are more interesting
from a technical perspective. We also had to take into account
the fact that our interviewees and Zone-H Archive do not deal
with attacks on social networks. For these reasons, our
analysis will focus only on HTML defacements, but we think
that it would be useful to widen the scope of the defi nition for
future research activities.
METHODOLOGY
The scientifi c literature on website defacements is scarcer
than we had expected when we started to draft this paper, and
the availability of literature dealing with defacements and
hacktivism is even poorer. Therefore we investigated the
topic, looking for previous works on hackers in general, on
hacktivism in particular, and on how website defacements are
conducted and what consequences they bring. We combined
the literature with some interviews and an analysis of the
Zone-H Archive. The research produced the results we will
present in this paper and gave us enough room to formulate
explorative questions and possible answers. The fi ndings
presented in this paper are based on qualitative and
quantitative analysis.
For the qualitative part, we tried to get in contact with
hacktivists that had been particularly active in defacing
websites during the last year (January – December 2016). In
order to fi nd out who the groups or single hacktivists were,
we checked the Zone-H Archive. Zone-H provides a database
that has been recording website defacements since 2001,
registering for every attack some specifi c characteristics:
targeted domain; attack date; attack time; attacker’s
nickname; operating system of the attacked website; web
server of the attacked website; attack methodology; attack
typology; new attack/re-defacement; intrusion level
(homepage/subdir); status (verifi ed/to be verifi ed); single/
mass defacement; fl ag. The person who fi lls in the form is
also required to indicate the motivation that triggered the
defacement. Considering that our main topic for this research
is hacktivism, we decided to examine only the attacks
conducted for ‘political reasons’ and for ‘patriotism’ between
January 2016 and December 2016. We then fi ltered the
database selecting these two motivations and checked which
were the 25 most active groups or individuals. Next, we
looked for possible contacts in order to communicate with
them. We examined the mirror pages that had automatically
been saved by Zone-H, as we had noticed that many
hacktivists leave their signatures or even contacts such as
emails, websites or social network accounts on the defaced
pages. This turned out to be a good source of information. We
noticed that the individuals with a Twitter account were the
most interested in starting a discussion with us. As often
HACKTIVISM AND WEBSITE DEFACEMENT... ROMAGNA & VAN DEN HOUT
3VIRUS BULLETIN CONFERENCE OCTOBER 2017
happens with people who engage in illegal activities (website
defacement violates several laws in different countries), only
fi ve out of the 25 individuals we tried to contact agreed to
answer our questions. For the interviews we used two
methods:
- Structured interviews conducted using a close
questionnaire consisting of 15 questions that addressed
hacktivism in general and website defacement in
particular; the questionnaire was sent to those groups or
individuals that only provided an email address as a form
of contact.
- Semi-structured interviews for those that were reachable
with synchronous tools (chat, instant messenger in
Twitter, Facebook, ICQ); this form of communication
seems better adapted to these conversations and gave us
more opportunities to direct the discussion and the
focus towards interesting topics or information that
came up during the talk. Moreover, it gave us time to
read the answers and ask for another chat with new
questions based on the answers from the previous
discussion.
The quantitative analysis was conducted focusing on the data
of Zone-H Archive for the period January 2016 – December
2016, but to have a clear overview of defacements in general
we will provide some data that dates back to January 2010. To
our knowledge, Zone-H Archive is the only available database
that has been recording website defacements. From 2010 to
2016 there were more than 7 million recorded attacks. We
noticed that the motivations provided by the individuals are
not always reliable (this has been confi rmed by the company
that manages the archive), but with the right corrections, we
tried to provide a good insight both into this particular
technique and into how it is linked to hacktivism. It is not
possible to state whether a defacer has actually been
motivated to act for political reasons or patriotism, but
skimming through dozens of mirror sites, we have noticed
that the motivation usually corresponds to that provided in
Zone-H Archive.
MOTIVATIONS AND INTENTIONS
In order to better understand hacktivism and the potential
threat it represents, this section offers an overview of the most
Figure 1: Total number of website defacements and division by single category in the period 2010-2016.
(Source: Zone-H Archive.)
2010 2011 2012 2013 2014 2015 2016
Total number of
defacements 1,418,687 1,608,893 1,192,291 1,391,457 1,150,449 1,010,478 888,064
Heh…just for fun 829,429
(58.46%)
818,863
(50.9%)
548,566
(46.01%)
674,983
(48.51%)
681,781
(59.26%)
630,107
(62.36%)
538,187
(60.60%)
I just want to be the best
defacer
289,637
(20.42%)
330,184
(20.52%)
228,369
(19.15%)
269,798
(19.39%)
224,465
(19.51%)
152,921
(15.13%)
141,580
(15.94%)
Not available 94,028
(6.63%)
97,541
(6.06%)
111,483
(9.35%)
232,145
(16.68%)
84,954
(7.38%)
70,045
(6.93%)
58,805
(6.62%)
Patriotism 59,009
(4.16%)
123,651
(7.69%)
54,936
(4.61%)
30,396
(2.18%)
21,742
(1.89%)
24,880
(2.46%)
39,532
(4.45%)
Political reasons 57,081
(4.02%)
92,685
(5.76%)
93,239
(7.82%)
67,276
(4.83%)
59,917
(5.21%)
61,383
(6.07%)
52,492
(5.91%)
Revenge against that
website
45,049
(3.18%)
73,764
(4.58%)
80,924
(6.79%)
59,125
(4.25%)
40,608
(3.53%)
36,091
(3.57%)
27,532
(3.1%)
As a challenge 44,454
(3.13%)
72,205
(4.49%)
74,774
(6.27%)
57,734
(4.15%)
36,982
(3.21%)
35,051
(3.47%)
29,936
(3.37%)
Table 1: Total number of website defacements (and percentages), and their division by single category in the period 2010-2016.
(Source: Zone-H Archive.)
HACKTIVISM AND WEBSITE DEFACEMENT... ROMAGNA & VAN DEN HOUT
4VIRUS BULLETIN CONFERENCE OCTOBER 2017
common motivations stated by hacktivists when defacing a
website. Although hacktivists are by defi nition driven
primarily by achieving socio-political change [4, 6, 8], their
behaviours and reasons for engaging in hacking cannot
completely be explained just by these kinds of motivations.
Many of the websites they deface do not have any
connections with the socio-political change they seem to be
seeking [11] and, as suggested by Denning [7], there are more
effective ways to reach it. According to Samuel [4],
hacktivists often choose a political agenda after they have
already decided to become politically active. These factors
suggest that there have to be other, secondary circumstances
that drive hacktivists to deface websites. Considering the
existing literature, motivations can roughly be divided into
two categories, namely socio-political and personal.
As shown in Figure 1 and Table 1, website defacements
registered a general decrease in the period 2010-2016: the
peak was reached in 2011 (1,608,893), while the total number
dropped to 888,064 (almost half) in 2016. Zone-H Archive
allows attackers to explain (in broad categories) why they
conducted the defacements. ‘Fun’ has been by far the most
common reason, followed at a considerable distance by the
goal of being the ‘best defacer’. Defacing websites for fun
decreased by almost 300,000 attacks, but it is relevant to note
that since 2012 its percentage of the total annual number of
attacks has continued to grow. We do not know who really is
behind these defacements, but based on general knowledge,
such a motivation seems more in line with the behaviour of a
script kiddie than with that of a grown-up hacker.
Nevertheless, we have to be careful in drawing fast
conclusions, as ‘fun’ can have different meanings in relation
to the person who has fun: it might be that a script kiddie
defaces for fun because he/she feels a thrill, but it might also
be that a skilled hacker fi nds it ‘fun’ (meant in this case as
challenging) to deface websites, providing a different
interpretation of the concept.
The signifi cant decline in defacements can have at least three
different explanations: the fi rst may be practical, since defacers
might not be interested in reporting their actions to Zone-H
anymore. Nevertheless, we believe this to be the least plausible
option, as generally speaking the people involved in these kinds
of activities seem to like or even seek a certain level of
attention [12], and therefore reporting the attack to Zone-H
would be one of the best chances for them to gain visibility.
The second explanation is linked to cybersecurity: it might be
that many websites have signifi cantly improved the security of
their web pages and therefore the hack requires more effort and
time compared to some years ago (this explanation seems more
acceptable, but as the ‘Netherlands Operation’ proved, many
vulnerabilities remain unpatched and can easily be exploited
[2]. Finally, hackers may fi nd website defacements less
interesting than in the past and prefer to spend energy and
resources on more sophisticated and technically advanced
operations, that would likely also give higher rewards (for
instance more information on the target, more
acknowledgement in the hacking scene, and so on).
Table 2 and Figure 2 focus on the connections between
defacements and hacktivism and its socio-political sphere; the
trend observed in the options analysed (political reasons and
patriotism) has remained quite stable in the last six years:
patriotism covers 4.45% (steadily growing since 2013), while
2010 2011 2012 2013 2014 2015 2016 Total 2010-2016
Total 1,418,687 1,608,902 1,192,300 1,391,467 1,150,453 1,010,478 888,064 8,660,351
Patriotism 59,009
(4.16%)
123,651
(7.69%)
54,936
(4.61%)
30,396
(2.18%)
21,742
(1.89%)
24,880
(2.46%)
39,532
(4.45%)
354,146
(4.08%)
Political 57,081
(4.02%)
92,685
(5.76%)
93,239
(7.82%)
67,276
(4.83%)
59,917
(5.21%)
61,383
(6.07%)
52,492
(5.91%)
484,073
(5.59%)
Political &
patriotism
total
116,090
(8.18%)
216,336
(13.45%)
148,175
(12.43%)
97,672
(7.03%)
81,659
(7.10%)
86,263
(8.54%)
92,024
(10.36%)
838,219
(9.67%)
Table 2: Number of website defacements conducted for ‘patriotism’ and ‘political reasons’ divided by year and in total, in the
period 2010-2016. (Source: Zone-H Archive.)
Figure 2: Number of website defacements conducted for ‘patriotism’ and ‘political reasons’ divided by year and in total, in
the period 2010-2016. (Source: Zone-H Archive.)
*
*These values have been corrected after the publication of the paper, but they
did not affect the final results. In fact the mistake was only present in the sum
shown in Table 2, while the data analysis and the other tables were done with
the correct data.
*
HACKTIVISM AND WEBSITE DEFACEMENT... ROMAGNA & VAN DEN HOUT
5VIRUS BULLETIN CONFERENCE OCTOBER 2017
defacements conducted for political reason reach an overall
percentage of 4.98.
We do not know if there is a connection, but during what
looked like the peak of Anonymous’ operations in 2011-2012,
Zone-H registered the highest number of attacks (especially
for political reasons). This does not mean that Anonymous’
members were more active in defacing websites, but it might
suggest that the general atmosphere of that period could have
encouraged other hackers to engage in these activities.
Figure 3 shows instead the general overview when comparing
the complete set of data on website defacements to those
carried out for reasons linked to hacktivism. As we noted
above, the trend of defacements conducted for patriotism and
political reasons is in countertendency compared to the
general leaning that registers a net reduction.
Socio-political motivations
As shown in Figure 1, socio-political motivations represent
the main trigger for hacktivists, but it should be noted that
they embrace many issues. From the mid-1990s hacktivists
have defaced websites to promote goals or draw attention to a
wide variety of issues [4]; these are in line with the typical
values held by the traditional activist movements that have
appeared on the international scene since the late 1970s and
that have been identifi ed with the ‘New social movements’, as
theorized by Melucci [9]. To name a few, they have engaged
in: anti- or alternative globalization protests against
corporations, protests in support of human rights and of the
environment, actions to criticize domestic or international
politics of a certain state [4, 13], anti-war statements, and
even revenge. The scope of their operations is clearly broad.
Examples of the last two can be found during the Kosovo
confl ict in 1998-1999: many hacktivists engaged in DDoS
attacks, defacements and website hijacking to protest against
the war and the countries involved in it. Chinese hacktivists
specifi cally targeted several American government websites
to show their disapproval and condemnation after the US Air
Force had erroneously bombed their embassy in Belgrade [5].
Patriotism
While the political sphere has quite a broad spectrum, the
defacements conducted for patriotism are more specifi c and
seem mainly to be related to regional or international
confl icts. As noted by Samuel [4], international geo-political
tensions and confl icts can easily develop into attacks within
cyberspace. Some authors tend to speak in this case of
cyberwar [7], but we feel more confi dent in using the terms
‘cyber skirmish’ or ‘cyber guerrilla’. The Kosovo confl ict is
again a good example of how patriotism is connected to
defacements. Indeed during the fi ght, two factions confronted
each other: many hacktivists/hackers defaced websites,
leaving messages that praise a ‘Free Kosovo’; at the same
time, nationalistic Serbian hacktivists/hackers like Serb Black
Hand engaged in heavier forms of cyber attacks, even
targeting NATO’s computer networks [7].
Another relevant example is provided by the continuing
geo-political tensions between India and Pakistan: both
Samuel [4] and Kovacs [14] have examined the skirmishes
among Indian and Pakistani hacktivists related to the ongoing
Kashmir confl ict [4, 14]. A analysis of the Zone-H Archive
data has shown that the two factions, which apparently
involve dozens of hacktivists, have engaged in the
defacements of opposite domains: Pakistani hacktivists deface
Indian websites and Indian hacktivists attack Pakistani web
pages. The history of hacktivism is full of similar examples
[15]: recently we have witnessed an escalation in defacements
that support the Islamic State of Iraq and Syria (ISIS) [16]
and others focused on the Israeli-Palestinian confl ict [13, 17,
18]. In one interview with a member of Tunisian Fallaga
Team (one of the most active hacktivists groups based on
Zone-H’s data), we asked how he would defi ne his hacking
activity and if it could be described as hacktivism. He replied
saying that he ‘loves’ calling it hacktivism and that his
message is always about a free Palestine and about all the
innocent people killed around the world, with particular focus
on Muslims [19].
Denning ([7], p.272) shows that patriotism can also be
motivated by causes that do not relate directly to international
confl ict, but are instead connected to internal struggles. An
example is the defacement of 40 Indonesian websites in
September 1998 which displayed the slogan ‘Free East
Timor’ in large black letters and contained links to other
websites describing Indonesian human rights abuses in the
former Portuguese colony.
Figure 3: Comparison among total defacements (grey area right axis) and defacements conducted for political reasons/patriotism
(left axis), in the period 2010-2016. (Source: Zone-H Archive.)
HACKTIVISM AND WEBSITE DEFACEMENT... ROMAGNA & VAN DEN HOUT
6VIRUS BULLETIN CONFERENCE OCTOBER 2017
As shown in Table 1, 869,874 websites were defaced for
reasons of patriotism between 2010 and 2016. Considering
that this motivation is more specifi c than the general socio-
political one, it is possible to conclude that patriotism is the
primary cause of website defacements among hacktivists.
When speaking of patriotic hacktivism, it is always necessary
to be careful and to distinguish it from state-sponsored
hacktivism: in the latter case, hacktivists are encouraged or
even supported by a state to engage in cyberattacks or cyber
protests, while in the former the motivations belong only to
the hacktivists. The problem with state-sponsored hacktivism
is that it is impossible to distinguish from traditional patriotic
hacktivism.
Hacker ideology
Other issues that seem to motivate hacktivists when defacing
websites are those related to typical hacker values and
ideologies. Levy [20] provides a great insight into these
principles, tracing them back to what he calls ‘The Hacker
Ethic’. According to Levy there are fi ve main principles that a
hacker should pursue:
• Promote the freedom of information
• Mistrust the authority and promote decentralization
• Judge a hacker by his/her hacking skills and not by
criteria such as degrees, age, race, or position
• Create (if possible) art and beauty on a computer
• Use computers to improve the quality of life.
The fi rst two points in particular have often played an
important role in hacktivists’ ideology, as is also supported by
the research conducted by Coleman [21] into the well-known
hacktivist group Anonymous. An example of this typology is
the defacement of almost 500 Chinese websites carried out by
Anonymous [22] in reaction to censorship by the Chinese
government. On the defaced pages they wrote ‘Chinese
People, your government controls the Internet in your country
and strives to fi lter what it considers a threat for it. Be careful.
Use VPN for your own security. Or Tor.’
Psychological/personal motivations
To better understand the behaviour of hacktivists and their
personal/psychological motivations it is important to realize
that the majority of them choose to engage in hacktivism after
they have already decided to become hackers [4], usually
having the typical background and principles of the hacking
subculture [8]. Nevertheless, there are also some opposite
examples, as explained by Olson [23] and by one of our
interviewees: in these cases the personal motivations come
fi rst, and later on the individual engages in a (usually)
self-taught process to acquire hacking skills. While some
hacktivists affi rmed that they discovered the hacking world
through forums and through a trial-and-error process, a more
experienced hacktivist has clearly stated that he usually
teaches hacking techniques to the new members of his
team [24].
Hackers
When diving into the world of hacking it becomes clear that
the intellectual challenge of tinkering with computers lies at
its core. Linus Torvalds, a well-known hacker and inventor of
the Linux operating system, clarifi es that for hackers the
‘computer itself is entertainment’ [25]. Levy [20] defi nes a
hack as an act that demonstrates ‘innovation, style and
technical virtuosity’, and describes hackers as ‘adventurers,
visionaries, risk-takers, artists’. Research on the motivations
for engaging in hacking was conducted by Jordan and Taylor
[26], who found out that hackers are encouraged by several
different drivers: compulsion to hack, curiosity, attraction to
power, peer recognition, and the feeling of belonging to a
group. They basically confi rmed a previous study conducted
by Chantler [27] who constructed a list of 13 common
characteristics after studying hackers for over six years. He
concluded that hackers:
• Are loners
• Have poor social skills
• Have low self-esteem
• Are intelligent, able to focus for extended periods
• Are young
• Are explorers, investigators, curious, analytical
• Have a strong desire to succeed
• Are obsessive, even addicted to computers
• Have poor communication skills
• Have lots of acquaintances which they never meet
• Enjoy a hierarchy amongst peers
• Exchange knowledge and information amongst
themselves
• Respect each other, are popular with peers, subordinates
and superiors
• Are secretly admired by the public.
Not all of these characteristics must necessarily be met in
every hacktivist, but certainly some of them are clearly part of
their personalities. For instance, the core group of hacktivists
who were behind Anonymous and LulzSec [21, 23, 28] refl ect
many (but not all) of the features described by Chantler [27]:
some of them were loners with poor social skills, young and
generally intelligent, addicted to computers and eager to
increase their knowledge in different fi elds [23]. Barber [11]
argues that hacktivists ‘see the [I]nternet as their channel to
reach as many viewers as possible with their message.’ We
should not forget, as Denning [7] pointed out, that many
hacks are carried out for the thrill or simply because ‘it was
possible’. This was the case, for instance, with the Milw0rm
group that attacked the website of India’s Bhabha Atomic
Research Center (BARC) in 1998, to promote an anti-nuclear
and peaceful agenda, but also because it was purely thrilling
[7]. This was confi rmed by one of the hacktivists we
interviewed who hacks for political motivation, but also
enjoys the feeling given by the action itself [24].
Hacker Taggers
Hackers who engage in website defacements have some
specifi c characteristics that make them slightly different from
the others. In a study conducted by Woo, Kim and Dominick
[29], 462 defaced websites were analysed. The research
confi rmed that hackers may have different motivations for
engaging in defacements, the most common being
psychological and political. Woo et al. indicate that hackers
HACKTIVISM AND WEBSITE DEFACEMENT... ROMAGNA & VAN DEN HOUT
7VIRUS BULLETIN CONFERENCE OCTOBER 2017
often leave taunts, greetings or calling cards behind. They
also suggest that the websites disfi gured by hacktivists
contain more aggressive expressions than those defaced by
people who have fun or self-aggrandizement as primary
motivation. Besides, this they also argue that some hackers
deface websites for the sense of personal achievement, in line
with some of the characteristics described by Chantler [27].
From our analysis we can confi rm these tendencies and add
that hacktivists tend to post longer messages in which they
explain the reason for the defacement.
Warren and Leitch [12] investigated a group they called
‘Hacker Taggers’, and argue that these hackers deface
websites with the sole intent of leaving a ‘tag’ behind. After
examining data from the Zone-H Archive and analysing a
number of case studies, the two researchers suggested an
initial profi le for this sub-group. They confi rmed some of the
characteristics identifi ed by Chantler [27], such as the strong
desire to succeed and the importance given to the exchange of
information with each other. The two researchers depicted
four other main elements: high competitiveness; the desire to
cause minimal damage or no damage at all to the targeted
websites; the reliance upon media reports to cause political
damage or embarrassment; and fi nally the action as an
individual or in a team.
This profi ling suggests that succeeding and establishing a
reputation as a hacker play an important role in the motivation
of those who deface websites. Samuel describes website
defacement as ‘a way of demonstrating technical prowess and
establishing a reputation as a hacker’ [4]. Because the
techniques used do not require particularly advanced hacking
skills, it might be that website defacements are used as fi rst
step towards more complicated operations by those hackers
who have just entered the fi eld.
Hacktivists
In a very recent study, Madarie [30] attempted to quantify the
motivations of hackers in general, using Swartz’s theory of
motivational types of values. She found out that intellectual
challenge and curiosity were the most important motivators
for hacking into systems. She also tried to confi rm the
hypothesis that hacktivists place high value on self-
transcendence qualities, which include tolerance, social
justice, equality and responsibility. However, she was not able
to confi rm this hypothesis and concluded that hacktivists were
more motivated by achievement and hedonistic value types.
(It should be noted that Madarie herself stated that her sample
of hacktivists was quite small and that further research is
needed.)
We discussed these points during our interviews with two
hacktivists. The member of the group Tunisian Fallaga Team
made clear that his main motivation for defacing websites
was simply political. When we asked if any money was
involved in his activities, he strongly denied it. We probed
further into his personal motivations and asked how he
perceives the attention his attacks receive from the media. He
replied that any media attention is good, because his message
is read and spread among many people, and added that he has
a personal good feeling when he hacks. His words confi rm
once again the importance that hacktivists place on visibility,
and the positive feeling they get when involved in hacking.
Furthermore, he noted that too often he and his group are
identifi ed as terrorist ‘ISIS hackers’; he totally refuses this
label. The personal motivations also emerged in an interview
conducted with the spokesperson of Skynet Central, a group
of hacktivists active in limiting and possibly annihilating
online and offl ine terrorism. The interviewee said: ‘Every
time I take down a target I feel more proud than I could
describe and I feel like I prevent many crimes in the future,’
adding: ‘it [is] something personal, the war between Skynet
and ISIS.’ He concluded: ‘[Hacking is] a hobby, I enjoy [it],
but [I am] directing my skills against evil’ [24].
MODUS OPERANDI
In this section we will focus on the capabilities and the modus
operandi of hacktivists when defacing websites. First we will
describe what usually triggers them to hack. Subsequently we
will analyse their usual attack vectors and fi nally we will give
an overview of the most commonly used tools.
Triggers
In order to determine if a specifi c website is likely to be
targeted by hacktivists it seems necessary to describe how
they choose their targets. According to Hald and Pedersen
[31], hacktivists deface websites that are perceived to be an
insult to their ideology. These may be web pages that belong
to organizations or companies that take a stance against a
certain cause, or they may be all websites in a specifi c
country or with a specifi c domain. An example is the above-
mentioned case of Anonymous that explicitly targeted
Chinese websites in order to spread awareness of Internet
censorship [22], while other episodes have been analysed by
Kaplan [17] and Kovac [14]. An interviewed member of
Tunisian Fallaga Team [19] explained that he tries to target
specifi c websites that have a link with a country he considers
a corrupted entity. However, as noted earlier, when hacktivists
engage in defacements they also ‘select apparently unrelated
sites designed simply to get the message to the maximum
number of eyeballs in the shortest possible time’ [11].
The selection of unrelated sites is not completely
unsystematic: the literature on the subject (validated by our
interviews) suggests that these random attacks are connected
to the use of specifi c tools, which identify websites that
present particular vulnerabilities [32]. A recent example that
clarifi es this chain of action was the severe but easily
exploitable [33] vulnerability discovered in the REST-API of
the popular WordPress CMS [34]. The websites containing
this vulnerability were most likely found using Google dorks,
which are often exploited by defacers [35]. After the
disclosure of this weakness in the system, several well-known
defacers (hacktivists as well as non-hacktivists) defaced a
large number of websites [33, 34].
Attack methods
Since many hacktivists choose targets based on their
vulnerabilities, it is to be expected, as supported by previous
studies [31, 32], that the vulnerabilities they exploit are often
known and quite unsophisticated, usually present in the
arsenal of automatic scanning tools. An analysis of the data
from the Zone-H Archive provides great insight into which
vulnerabilities are normally exploited. When analysing the
defacements motivated by political reasons and patriotism
between January 2010 and December 2016, the most common
form of attack (18%) used to access a web page is the
HACKTIVISM AND WEBSITE DEFACEMENT... ROMAGNA & VAN DEN HOUT
8VIRUS BULLETIN CONFERENCE OCTOBER 2017
exploitation of an SQL injection vulnerability. In 27% of the
cases a non-specifi ed web application bug was exploited. In
18% of the cases another kind of method was used to deface
the websites. In 7% of the cases a brute force attack was used
to gain access to the web server. In around 6% of the cases a
fi le inclusion vulnerability was used to deface the websites.
Other methods employed are: other known vulnerabilities
(6.32%), URL poisoning (3.76%), FTP server intrusion
(3.11%), social engineering (3%), shares misconfi guration
(2.38%), SSH server intrusion (2.18%), mail server intrusion
(1.15%), DNS attacks (0.6%), and man-in-the-middle (MitM)
attacks (0.3%).
Method Percentage
Other non-specifi ed web application bugs 27.22%
SQL injection 18.00%
Other methods 18.00%
Brute force attacks 7.00%
File inclusion 6.39%
Known vulnerabilities 6.32%
URL poisoning 3.76%
FTP server intrusion 3.11%
Social engineering 3.00%
Shares misconfi guration 2.38%
SSH server intrusion 2.18%
Mail server intrusion 1.15%
DNS attacks 0.60%
Man in the middle attacks 0.30%
Table 3: Percentage of the methods of attack used to deface
websites in the category ‘patriotism’ and ‘political reasons’ in
the period 2010-2016. (Source: Zone-H Archive.)
Mass defacements
In the case of mass defacements, a vast number of websites
are defaced in a very short time. The hacktivists behind these
attacks use automated scanning and exploitation tools to
automatically exploit known backdoors in web applications
[35, 36]. Just as with single defacements, specifi cally crafted
Google dorks can be used to select the targets [35]. The
exploits used in these attacks can be purchased on online
black markets. In some cases the exploits send a request to
report successful defacements automatically to the Zone-H
Archive [35]. From the analysis of the most active defacers,
we can confi rm that this method is widely employed and
seems to a have high rate of success.
TOOLS
As there have been few scientifi c studies specifi cally
investigating the tools hacktivists use when defacing a
website, reviewing the existing literature did not provide us
with a lot of insights. Some security fi rms, however, have
conducted preliminary technical analysis of hacktivists’
attacks. Fox-IT [2], for instance, has investigated the earlier
mentioned attacks (‘Netherlands Operation’). The
investigation shows that during the operation a (basic)
identifi cation tool, written in .NET, was used to locate Dutch
and German websites which were running a vulnerable
WordPress version using Google dorks. The fact that
hacktivists create their own tools or scripts is in line with the
answers given by the member of the Tunisian Fallaga Team
[19], who confi rmed that he creates his own scripts in order to
(automatically) deface a website. In addition to the creation of
their own tools, they also frequently use publicly available
vulnerability scanners, such as Acunetix or Havij [36, 37], as
again confi rmed in our interviews. Some hacktivists prefer to
completely automate the defacement process: in this case they
use tools which automatically fi nd a vulnerable website and
operate an exploit which uses a known vulnerability [35].
These tools include LFI intruder, SCT SQL SCANNER and
Priv8 RFI SCANNER v3.0 [35].
RESULTS AND CONCLUSION
In general, a web page defaced by a hacktivist or a hacktivist
group will display a socio-political message related to the
specifi c motivation behind the attack. In Figure 4 we provide
a good example of this trend, showing the defaced website
http://navstarter.com that was attacked by members of the
Tunisian Fallaga Team. It is clear from the text on the page
that the Tunisian Fallaga Team attempts to raise awareness of
confl icts where Muslims are involved. The hacktivists
submitted the defaced page to Zone-H, giving patriotism as
main reason for the attack.
It should be noted that the given reasons in the Zone-H
Archive are not always in line with the message or contents of
the defaced page. In some cases we did not fi nd any specifi c
message, but a simple tag (for instance ‘hacked by…’), as had
been suggested by Warren and Leitch [12]. In other cases,
especially for patriotism, hacktivists left behind the fl ag of a
certain country with some background music. In other cases
the defaced page does not promote any message, but
distributes a piece of malware.
To sum up, website defacement still represents one of the
main tools used by hacktivists to promote a socio-political
message. There are plenty of methods that an individual can
use to deface a website, and generally speaking they are not
as complicated as other forms of hacking. This means that
many people, especially young hackers who have just taken
their fi rst steps into the world of hacktivism, can easily
engage in actions in order to test their skills, gain visibility
and help in promoting a certain cause. We have seen that even
if the technique is 20 years old, it has not really lost its appeal
among hacktivists (at least when we analyse the trends of the
last six years). We have explained that hacktivists are
triggered by socio-political motivations and by patriotism
(which actually represents the primary motivation for
defacing). Hacktivism and defacements seem to be linked to
regional and international geo-political tensions, as shown in
several cases (the Israeli-Palestinian confl ict and Indian-
Pakistani tensions).
Finally, considering that to calculate a threat it is necessary to
know the intent of the individual (motivations of hacktivists)
and the capabilities (modus operandi and tools used by
hacktivists), we can conclude that hacktivism when connected
to website defacements does not represent a huge threat. This
point needs clarifi cation: it is not a huge threat for all those
companies, public organizations and governments that apply
standard levels of cybersecurity within their computer
networks. Even in the case of a defacement, the costs to
HACKTIVISM AND WEBSITE DEFACEMENT... ROMAGNA & VAN DEN HOUT
9VIRUS BULLETIN CONFERENCE OCTOBER 2017
Figure 4: Homepage of the Navstarter.com website defaced by member of Tunisian Fallaga Team.
restore the web pages would not be too signifi cant for a big
corporation, but it should warn about other possible
vulnerabilities present in the system.
The situation is different for small companies or personal
websites that do not apply good security measures or are not
updated. We can conclude that these seem to be the most
common targets because they are easier to reach and deface.
Therefore, for these, website defacements still represent a
relevant threat.
REFERENCES
[1] Pieters, J. (2017, March 14). Turkish hacker groups
focus cyberattacks on Dutch websites, incl. NL
Times. NL Times. http://nltimes.nl/2017/03/14/
turkish-hacker-groups-focus-cyberattacks-dutch-
websites-incl-nl-times.
[2] Fox-IT. (2017). Turkish hacktivism activity.
https://foxitsecurity.fi les.wordpress.com/2017/03/
20170323_turkish_hacktivism_writeup_public_fi nal.
pdf.
[3] Kharpal, A. (2017, March 15). Hundreds of Twitter
accounts including Bieber and Forbes hacked, calling
Germany, Netherlands ‘Nazi’. CNBC.
http://www.cnbc.com/2017/03/15/turkey-twitter-
accounts-hacked-germany-netherlands-nazis-forbes.
html.
[4] Samuel, A. W. (2004). Hacktivism and the future of
political participation. Ph.D. in Political Science,
department of Government, Harvard University,
Cambridge, Massachusetts.
[5] Denning, D. E. (2015). The Rise of Hacktivism,
Georgetown Journal of International Affairs,
September 8, 2015. http://journal.georgetown.edu/
the-rise-of-hacktivism/.
[6] Milan, S. (2015). Hacktivism as a radical media
practice. In Atton, C. (ed.) The Routledge
Companion to Alternative and Community Media.
New York: Routledge, 550-560.
[7] Denning, D. E. (2001). Activism, Hacktivism, and
Cyberterrorism: The Internet as a Tool for Infl uencing
Foreign Policy. In Arquilla, J.; Ronfeldt, D. (eds.)
Networks and Netwars: The Future of Terror, Crime,
and Militancy. Santa Monica: RAND, 239-288.
[8] Jordan, T.; Taylor, P. (2004). Hacktivism and
Cyberwars: Rebels with a cause. London: Routledge
[9] Melucci, A. (1995). The Process of Collective Identity.
Temple University Press. In Johnston, H.;
Klandermans, B. (eds.) Social Movements and Culture.
Minneapolis: University of Minnesota Press, 41-63.
[10] Milan, S. (2013). Social Movements and Their
Technologies. Wiring Social Change. Palgrave
MacMillan: London.
[11] Barber, R. (2001). Hackers profi led – Who are they
and what are their motivations? Computer Fraud &
Security, 2001(1), 14-17.
[12] Warren, M.; Leitch, S. (2010). Hacker taggers: A
new type of hackers. Information Systems Frontiers,
12 (4), 425-431.
[13] Karatzogianni, A. (2005). The politics of
cyberconfl ict: Ethnoreligious confl icts in computer
mediated environments. Ph.D. in Political Science,
Nottingham University, Nottingham.
[14] Kovacs, E. (2014, April 27). Cyber confl ict between
Indian and Pakistani hacktivists will not end any time
soon. Softpedia. http://news.softpedia.com/news/
Cyber-Confl ict-Between-Indian-and-Pakistani-
Hacktivists-Will-Not-End-Any-Time-Soon-439300.
shtml.
[15] Caldwell, T. (2015). Hacktivism goes hardcore.
Network Security, 5, 12-17.
[16] Krebs, B. (2015, April 15). FBI Warns of Fake Govt
Sites, ISIS Defacements. https://krebsonsecurity.com/
2015/04/fbi-warns-of-fake-govt-sites-isis-
defacements/.
[17] Kaplan, D. (2009, January 5). Web defacements
escalate as Israel moves farther into Gaza.
https://www.scmagazine.com/web-defacements-
escalate-as-israel-moves-farther-into-gaza/
article/555321/.
HACKTIVISM AND WEBSITE DEFACEMENT... ROMAGNA & VAN DEN HOUT
10 VIRUS BULLETIN CONFERENCE OCTOBER 2017
[18] Winer, S. (2015, April 7). Annual cyber-attack on
Israel targets MK’s website. The Times of Israel.
http://www.timesofi srael.com/annual-cyber-attack-
on-israel-hits-mks-website/.
[19] Tunisian Fallaga Team, (March, 2017). Interviewer:
Marco Romagna [email].
[20] Levy, S. (1984). Hackers: Heroes of the Computer
Revolution. New York: Doubleday.
[21] Coleman, G. (2014). Hacker, Hoaxer, Whistleblower,
Spy: The Many Faces of Anonymous. London and
New York: Verso.
[22] BBC (2012, April 5). Chinese websites ‘defaced in
Anonymous attack’. Retrieved from
http://www.bbc.com/news/technology-17623939.
[23] Olson, P. (2013). We Are Anonymous: Inside the
Hacker World of LulzSec, Anonymous, and the
Global Cyber Insurgency.
[24] Skynet Central, (December 2016 – May 2017).
Interviewer: Marco Romagna [Instant message via
Twitter].
[25] Himanen, P. (2001). The Hacker Ethic and the Spirit
of the Information Age. New York: Random House.
[26] Jordan, T.; Taylor, P. (1998). A sociology of hackers.
Sociological Review, 46 (4), 757-780.
[27] Chantler, N. (1995). Risk: The Profi le of the computer
hacker. Ph.D. thesis, Curtin Business School,
Australia.
[28] Mansfi eld-Devine, S. (2011). Hacktivism: Assessing
the damage. Network Security, 8, 5-13.
[29] Woo, H.; Kim, Y.; Dominick, J. (2004). Hackers:
Militant or Merry Pranksters? A Content Analysis of
Deface Web Pages. Media Psychology, 6, 63-82.
[30] Madarie, R. (2017). Hackers’ Motivations: Testing
Schwartz’s Theory of Motivational Types of Values
in a Sample of Hackers. International Journal of
Cyber Criminology, 11(1), 78-97.
[31] Hald, S. L.; Pedersen, J. M. (2012). An Updated
Taxonomy for characterizing hackers according to
their threat properties. In Advanced Communication
Technology (ICACT), 2012 14th International
Conference on (pp. 81 - 86). IEEE Press.
(International Conference on Advanced
Communication Technology).
[32] Furnell, S. (2003) Cybercrime: Vandalizing the
information Society. In: Lovelle J.M.C.; Rodríguez
B.M.G.; Gayo J.E.L.; del Puerto Paule Ruiz M.;
Aguilar L.J. (eds) Web Engineering. ICWE 2003.
Lecture Notes in Computer Science, vol. 2722.
Berlin, Heidelberg: Springer.
[33] Montpas, A.M. (2017, February 1). Content Injection
Vulnerability in WordPress. https://blog.sucuri.
net/2017/02/content-injection-vulnerability-
wordpress-rest-api.html.
[34] Maunder, M. (2017, February 10). Rapid Growth in
Defacements, Who was Hit, Who is Attacking.
https://www.wordfence.com/blog/2017/02/rapid-
growth-in-rest-api-defacements/.
[35] Jacoby, D. (2010, July 21). Mass Defacements: the
tools and tricks. https://securelist.com/36356/
mass-defacements-the-tools-and-tricks/.
[36] Carr, J. (2011). Inside Cyber Warfare: Mapping the
Cyber Underworld (2nd ed.). Sebastopol, CA:
O’Reilly Media.
[37] Imperva. (2012). Imperva’s Hacker Intelligence
Summary Report The Anatomy of an Anonymous
Attack. https://www.imperva.com/docs/HII_The_
Anatomy_of_an_Anonymous_Attack.pdf.
