A Deep Dive into Defacement: How Geopolitical Events Trigger Web Attacks


Web attacks—attacks that compromise internet assets like mail servers, cloud infrastructures, and websites—are troubling phenomena. The research community has put considerable effort into investigating these incidents but has mostly focused on detecting attacks and not delving into the reasons behind these attacks. Of course, the typical cybercriminal’s goal is to profit. They might compromise websites to push ransomware, or they could try and steal data—recent breaches show that information is an increasingly valuable commodity. But, as this paper discusses, more emotional motivations, such as patriotism, specific real-world events or simply hacktivism, can also trigger compromises. Web defacement hacktivism is the practice of subverting a website with the goal of promoting a specific agenda or political ideology. Methods may vary, but when hacktivists compromise a website, the usual tactic involves replacing the original page with their version—a practice that is called web defacement. Hacktivism is mainly linked to web defacement, but a hacktivist (the attacker) can also be involved in traffic redirection (from a legitimate site to an attackerowned site), denial of service (a form of service disruption), and malware distribution to support their particular cause. Dedicated websites like Zone-H1 collect evidence of web defacements and defacers can voluntarily advertise their compromise by submitting a report. Elaborating on the reasons behind web defacements at scale is not as easy as it seems. While someone could theorize that geopolitical events and conflicts influence cybercriminals’ attacks against websites and their choice of victims, corroborating this phenomenon requires large-scale analysis. Our examination of over 13 million web defacement reports against websites spans over 18 years, covering multiple continents. We designed an internal system that gathers, analyzes, and clusters these millions of reports. As we identify the major campaigns of these defacers, we can provide further insights into how geopolitical events are reflected in web defacements. We also look at how different factors, such as the political beliefs and the defacers’ religious inclination, can trigger and affect these attacks. Our first two sections provide high-level insights into our dataset of defacements, as well as some defining facts about the targets and tactics used by the defacers. Our next section on Real World Impact breaks down seven top campaigns that have affected Israel, France, India, Syria, Kosovo, and countries surrounding the South China Sea. We delve into specific conflicts in those areas and the defacements that happened in the aftermath. The succeeding sections cover the hacking groups’ affiliations and how their collectives are organized—some collectives are formed across continents, and some are a loose collection of local hackers. Recruitment tools and the methods used to distribute hacking techniques are also discussed. The final sections discuss other activities that defacers take part in, and how the current activities may evolve. Recently, there have been incidents of hackers who have gone from simple web defacement to activities supporting cybercrime. There is a real possibility that defacers and defacement groups will start to escalate their activities, move away from ideological motivations, and turn into cybercrime.