By Splunk January 17, 2019
As a security researcher and software engineer, I always find it interesting to participate in an incident response. It was in this capacity that I had the opportunity to witness a large-scale hacktivist attack against a client, a big healthcare company who was undergoing an active Distributed Denial of Service (DDoS) attack.
It had drawn the attention of an activist group who was angered by the company’s pricing practices. The group had created a campaign to recruit protesters to dedicate a tab on their browsers to the cause of vigilante justice (“justice” in this case meaning pummelling the company’s main website with computationally expensive requests). Our client had no DDoS protection in place and was feverishly working with its ISP to implement something. My role was to try to see if we could get something temporary in place using the resources the company already had on hand.
The attackers were visiting a website that would cause a periodic request to be created to the client’s site. Once the tab was set up and working, the attacker didn’t do DNS resolution of the victim site. The stopgap solution I proposed was simple: move the victim site to new IP addresses and update the company’s DNS entries. The attackers persisted in their DDoS requests against the old addresses, but the requests were no longer being answered. They were none the wiser, since they’d just set the tab up and then moved on to looking at other things, secure in the knowledge that automated justice was being served.
A Persistent Problem
Fifteen years since the formation of Anonymous, (nearly) 10 years after the introduction of Low Orbit Ion Cannon (LOIC), and two years after the emergence of Dyn DDoS, hacktivism against controversial industries and shared infrastructure remains a growing concern. A portmanteau composed of "hack" and "activism," the term “hacktivism” was coined in 1996 by Omega, a member of the hacker collective Cult of the Dead Cow. While it is difficult to quantify the frequency of hacktivism (as attackers’ motives are not always transparent), the last few years have definitely seen a rise in the number of highly visible hacktivist attacks against governments, infrastructure, and companies with controversial business practices.
The quintessential hacktivist target is the pharmaceutical industry—especially the giants who capitalize on patents for critical drugs or drug-delivery systems in unethical ways, such as convicted fraudster Martin Shkreli, who infamously bought the patent on Daraprim (a drug that treats and prevents malaria and toxoplasmosis) and then increased the price by 5,000%. As in the Shkreli case, pricing is usually the hot button provoking the ire of the social-justice warrior crowd. It makes these industry giants an obvious target for application-layer DDoS attacks. Intensifying the issue is the matter that pharmaceutical manufacturing and pricing is highly regulated (and therefore highly visible), making it easy for those who are concerned to get access to the often inflammatory facts.
Current Events Continue to Fuel the Fire
The atmosphere is rife with the controversy that the Sackler family and Purdue Pharmaceuticals were conspiring with big healthcare to exacerbate the opioid crisis so that they can profit from both sides of the problem. Recent price hikes by Nostrum Pharmaceuticals and strategically canceled plans to implement price hikes by Novartis AG, Gilead Sciences Inc., Roche Holding AG, and Novo Nordisk A/S are interestingly coincident with California legislation forcing drug makers to provide consumers with advanced notice of price changes. Two years ago, Vermont senator and former contender for the Democratic presidential nomination, Bernie Sanders, famously sent a letter calling on the US Justice Department and the Federal Trade Commission asking for an investigation of pharmaceutical makers for possibly colluding on insulin price increases. Two years later, the demand for investigation continues. These events and the surrounding public outrage is likely to foreshadow even more populist hacktivism against pharmaceutical companies.
Does the Solution Require Both Digital and Ethical Components?
Of course, when it comes to hacktivism, healthcare and pharma are only two of the myriad industries and companies with big bullseyes painted on them. There are many tools lying around, along with many willing activists. The barriers of entry for noteworthy DDoS attacks are low. Defenders need to ensure they've got good identity and access, application-layer firewalls and DDoS mitigation agreements in place to protect their enterprise. However, I believe there’s more that could be done to prevent hacktivism attacks. Considering average costs of DDoS incidents are purported to run from $20,000 to $2,000,000+, perhaps it’s time for large corporations (especially those that are highly regulated and scrutinized) to carefully consider the social implications of their decisions. If business decisions prove to be unpopular, there can be significant direct costs to the business.
Splunk’s Security Research Team would love to hear about your industry-specific security concerns. Share your thoughts below or at research@splunk.com.
----------------------------------------------------
Thanks!
Jason Brewer