Last week, a third phase of OpIcarus was launched. Dubbed “Project Mayhem”, this new phase has the stated objective of targeting stock exchanges worldwide. Since its inception, mentions of OpIcarus on social media and associated threat actors activity have increased, particularly since April 2016 and after a spate of media reporting in May 2016 which resulted in large numbers of retweets of content relating to this coverage. At the time of writing, our analysis had identified approximately 90 claims of successful DoS attacks made as part of OpIcarus.
Figure 1 – Mentions of OpIcarus between 15 Apr 2016 and 06 Jun 2016
Hacktivist activity as part of OpIcarus has continued for approximately four months. Based on the level of participation and level of organization, we have generated four scenarios in order to forecast the threat OpIcarus will pose in four months time.
Figure 2 – Four scenarios depending on levels of organization and participation
Figure 3 – Key features of the four scenarios (ranked 1-4 in order of assessed likelihood)
Least likely, high threat scenario – “The Legion”
In four months time, increased press media coverage on OpIcarus has led to a greater level of participation in OpIcarus by threat actors and groups. Media reporting is perceived to be a sign of success by these threat actors and groups, encouraging them to participate. The threat actors and groups are also partially motivated by establishing their credibility and generating publicity for their own endeavors. Taking part in a widely recognized operation has allowed them to gain publicity and kudos. Seeing this increased level of participation has led to a core group of threat actors, or a threat group that is widely recognized amongst hacktivists, to establish a platform from which they started to coordinate OpIcarus attacks in real time. While the threat actors have used the same tactics, techniques and procedures (TTPs) as the months prior, the coordination of attacks has led to a higher impact on targeted websites – for example due to increased volume DoS attacks. Given this coordination, OpIcarus activity has become more focused and attack claims are more substantiated due to observable website downtime. Some threat actors have not followed any coordination and continue their attack claims on financial institution websites with a lower impact. However, an increased number of higher impact attacks have raised the OpIcarus threat level to Medium.
Most likely, low threat scenario – “The Rabble”
In four months time, it is most likely that OpIcarus will be characterized by increased levels of participation but less organization overall. Media reporting is assessed to be one of the major motivating factors for participation in this hacktivist operation, demonstrated by continued reference to media reporting by the threat actors participating and the overall increased level of mentions observed after May 2016. Although we anticipate increased participation, we have detected no indicators to suggest a change in the tactics, techniques and procedures used. This, coupled with the continued use of large target lists posted to text-sharing websites and the fact we had not detected a single platform for coordination, suggested it to be likely that any increase in participation will not be met with better coordination on the part of the threat actors involved. At the time of writing, the main platforms for coordination have been a Facebook event, Twitter and Pastebin. These attacks have involved the same TTPs that were detected since February 2016 – namely denial of service attacks using publicly available tools such as the Low Orbit Ion Cannon and Saphyra. Therefore, while attack claims will continue to be detected, the impact to targeted financial institutions will likely remain low, assuming that hacktivist actors with a higher capability, such as Phineas Fisher, do not participate in the operation. We have not detected any evidence to suggest that the threat actors involved in, or those that likely to become involved in OpIcarus, possess a high capability.
Cyber situational awareness is comprised of three levels: perception, comprehension and projection. The latter stage, projection, is often complex as the future is uncertain. While we cannot predict what will happen in October 2016, by using a scenario-based approach and stress testing our analysis, we can better acknowledge our assumptions and identify key indicators. Both of these allow us to make more informed assessments of how a threat may be developing.