Cyber activists, or hacktivists, have become a firmly fixed element of the threat landscape since groups like Anonymous, Lulzsec, and the Al Quassam Cyber fighters broke into the mainstream media a few years ago. However, reviewing recent hacktivist operations such as OpIcarus and OpOlympicHacking, it is striking to me how much the hacktivist scene seems to repeat itself – both in terms of targets and the tactics that this threat actor group collectively pursue.

This raises an interesting question: is the hacktivist scene, as a collective, learning from its experiences? While there have been a number of studies that have examined how groups such as terrorist and drug runners (From Pablo to Osama) go about learning as organizations, there has been almost no research into how hacker groups store their operational knowledge.

Despite the odd exception, it appears that, as a rule, the English-speaking cyber activist sphere seems almost permanently focused on attacking a core group of targets associated with either the global banking sector, online paedophilia or organizations associated with environmental issues. This status quo seems to have been fixed for a number of years and firmly grounds groups such as Anonymous into the left wing/ anti-establishment/ neo anarchist mould. At a tactical level the English-speaking hacker sphere would appear to be at times operationally moribund, with groups pursuing causes like OpIcarus actually showing a step back from the technical high points (webhives, reflective DDOS, sophisticated information operations) that groups such as Lulzsec achieved only a few short years ago.

There are a few examples of “new school” activists that are pushing the boundaries of hacktivism. Individuals such as Phineas Fisher, is to many activists and analysts the modern “model” of a cyber activist. Additionally, when it comes to the issue of experience retention within activist groups we see evidence of historical knowledge that dates back years rather than months in many larger collectives (the persistence of the Mr Lulz iconography within Anonymous related groups being one significant example). However, for the most part, the English-speaking hacker sphere seems to be stuck in a cycle of relearning past knowledge and making many of the same mistakes as their predecessors. Why is this?

While we can’t overlook simple operational fatigue, I feel one strong possibility is the organizational structure that groups like Anonymous employ – namely a loose clustering of individuals forming a decentralized network of small groups. This network form has served well for many groups engaged in nefarious activities, but it does have its downside. A lack of centralized command and control is the most obvious challenge of the network form of organization. Another major challenge is retaining knowledge that the organization gains through its activities. This would appear to be particularly acute for groups such as Anonymous who have this issue compounded by the apparently short life span of activists.

Decentralized networks are not limited to hacktivism and cyber criminals also employ a similar network form of organization. However this category of cyber threat actor clearly build on their past collective experience, even going so far as to periodically conduct “lessons learnt” exercises. The “security” section of The Hub Tor site, shown in the image below, is an example of this activity. Possibly the delta that separates these two groups is the physical codification of knowledge that the cyber criminal community engage -– they write facts and experiences down on numerous criminal forums that become a tangible lexicon of knowledge for aspirant cyber criminals to draw upon. In contrast hacktivists tend to restrict their activities to Internet Relay Chat forums and other far more transient forms of messaging. This creates the effect of aspirant hacktivists attempting to tap a knowledge base in real time, one that is ever decreasing due to attrition of the network though either voluntary or forced disengagement.

The Hubg Dark Net

Figure 1: Screenshot of the various topics listed within the Security section of The Hub Dark Net Internet forum

The way organizations learn from their experiences and retain corporate knowledge is a well-known subfield of social science. However, it has yet to be fully applied to actors groups active within the cyber underground. Although this blog is not the answer to the question (or possible even posing the right question), considering the way that organizations learn and retain operational knowledge will be a key component of cyber situational awareness in the future.