Skip links

Behind the Mask of GhostSec: Vigilante Hackers on a Cyber Crusade

Jump To Section

Behind the Mask of GhostSec: Vigilante Hackers on a Cyber Crusade

In the shadows of the digital underground, a hacking group known as GhostSec emerged, capturing cybersecurity experts’ and the public’s attention. Anonymous-affiliated GhostSec, often self-described as vigilante hackers, have taken it upon themselves to wage a cyber crusade against extremist content and activities on the internet. In this blog post, we delve into the enigmatic world of GhostSec, its motivations, actions, and the ethical dilemmas they present.

Vigilante Hackers on a Cyber Crusade

Origins

GhostSec first surfaced in 2015, arising from the remnants of the infamous hacktivist collective, Anonymous. While Anonymous was renowned for its broad range of operations, GhostSec adopted a more focused and specific mission – combating online terrorism and violent extremism. With a skilled team of hackers and information security enthusiasts, they quickly gained attention for their unorthodox approach to battling extremist groups on the web.

Cyber Crusade Against Extremism

GhostSec is driven by a vague objective – disrupting the online presence and communication of terrorist organizations, such as ISIS (Islamic State of Iraq and Syria) and Al-Qaeda. Their modus operandi involves identifying social media accounts, websites, and online platforms associated with these extremist groups and then launching targeted cyberattacks to take them down.

Using a combination of hacking techniques, from Distributed Denial of Service (DDoS) attacks to defacement and data breaches, GhostSec aims to disrupt the propaganda machinery of these organizations. Their actions have led to the removal of extremist content and have hindered recruitment efforts and communication among terrorist elements.

Ethical Dilemma

While GhostSec’s intentions might appear admirable, their methods raise significant ethical questions. Some argue that their vigilantism blurs the lines between cyber activism and cybercrime. Taking the law into their own hands, they operate without the legal authority or oversight that law enforcement agencies adhere to.

Moreover, the group’s activities often occur in the gray zone of hacking ethics, where justifiable ends are pursued through potentially illegal means. The use of DDoS attacks and hacking into private servers, even in the context of combating terrorism, can infringe upon the principles of individual privacy and freedom of speech.

Cat-and-Mouse

GhostSec activities have not gone unnoticed by the extremist groups they target. Therefore, they have become a prime target for retaliatory attacks. To protect themselves and their identities, GhostSec members operate under pseudonyms and employ advanced encryption methods to conceal their tracks. This cat-and-mouse game between vigilantes and terrorists adds another layer of complexity to the ongoing cybersecurity landscape.

In the last 6 months, I’ve followed GhostSec, and watched associated followers swell to over 26,000 on various social media platforms where leaks, dumps, and hacks are posted on a monthly basis. The first one I came across was the Russian LERS accounting service with over 100 interfaces leaked, soon another one, the Brazilian governments’ webmail was targeted and approximately 900MB of data was taken in the heist, RTU was designed for ICS environments in Belarus was attacked with ransomware, zero days containing SQLi vulnerabilities were dropped, the Russian government website (information not disclosed in this blog due to its sensitive nature) was leaked extensively online. Approximately 40GB of Maines Government data was leaked, however, Maine disputed this fact claiming the data was public. Next in line for GhostSec attacks were Modbus (an IOT device used for connecting ICS systems for monitoring and temperature control) modules in Iran. This team does not quit, the hacks keep coming, hitting hard!

Also read: Building Cybersecurity Talent: A Comprehensive Guide for Training and Development

SiegedSec Hit the Radar

Around this time a smaller collective previously unknown to me, a group identifying as SiegedSec make an appearance on Valentine’s Day claiming to have hacked the software company Atlassian. They gained access to employee records and building plans amongst other things, all leaks being distributed online.

GhostSec - Vigilante Hackers

GhostSec continue their campaign in February by shutting down RU, BY, and RS satellite receivers and tweeting about it! A few days later they turn their attention back to the Russian campaign in Ukraine, declaring war on the dictatorship and promptly defacing approximately 40 Russian websites. Shortly after this GhostSec produce a private membership which includes releases of tutorials, hacks, zero-day exploits, private leaks, and databases for a monthly fee of $50, they also offer “lifetime access for $400” At this point I start to question their ethics, however, I understand the costs involved to launch these campaigns, the resources, time and energy spent need to be covered and as the rest of the world has learned to incentivize and charge “pay per view” it stands to reason that GhostSec too has realized that they have an audience and start to capitalize on their online fame. Later in the year, they post a short message to their audience, about some of the services they provide, for example, the free VPN service for #OpIran with the quote “Providing a free service is sadly not free for us”. They appeal to the good nature of their followers, asking for support and donations in their continued projects. All new services and projects are published openly with proof of how the funds are being spent.

SiegedSec Hit the Radar

The OPS

In March the focus remains on #OpRussia for a 72-hour attack which results in the compromise of 184 1C: Enterprise 8 LicenseServers (automation of management and accounting), the very next day FM Radio stations in Brazil were attacked. Operations around the world continued with renewed vigor #OpRussia, #OpCuba, and #OpBalochistan (“The land of missing people” operation)

SiegedSec deface Faroe Islands websites and leaked 30GB of user data and source code. All source codes and databases were hosted online. During this time, GhostSec notify their followers of a Telegram scam hosted by the Tesseract group selling scam services and to avoid them at all costs. Shortly after this, the first Balochistan hack takes place, EFP (Employee’s Federation of Pakistan) due to the oppression faced by Balochis. Motivations are mixed and globally spread, grassroots movements and activism have evolved into scaled hacktivism, and the war is being fought online. Russia faces renewed attacks and the GNSS satellite receivers start “dropping like flies”. This is a continuous activity throughout the war, GhostSec regularly targets Russian satellites, taking them offline. More news sources start reporting the activity in April.

GhostSec has a sense of humor, by launching their 3rd annual April’s Fool’s hack, they target the government branch of Fujairah webmail in the UAE, dropping dumps online. Shortly after this, Israeli satellites and water pumps are attacked after Israeli forces raided the Al Aqsa Mosque during Ramadan. GhostSec cyber crusade repeatedly stands up in defense of injustices and crimes around the world, adding to their attacks they offer a free VPN service to all users around the world, set up for the people of Iran facing difficulties with censorship and internet disruptions as far back as 2013, users around the world start accessing the service including France, United Kingdom, and Germany.

Later in April, #OpCuba is in the spotlight again with the release of a YouTube video highlighting the plight of the people in Cuba fighting against the dictatorial regime, “The Cuban people want their freedom and their rights. We hear your voices; we see your struggles. So, we shall stand with you all as you fight for your rights and against the tyranny occurring in Cuba, we will cripple them as you all bravely get back what you deserved from the start – #OpCuba has commenced.”

GhostSec - Vigilante Hackers

The Sindh Laws website (Ministry of Law – Government of Pakistan) and Pakistani police received attacks, websites are defaced, and data is dumped, GhostSec stand up for the Balochistan people demanding a better future for all.

SeigedSec hit hard in May announcing operations against the Philippines due to the pressures people are facing, unlivable wages, and severe inflation impacting the citizens of the Philippines – “You don’t need to be a hacktivist, you just need to be an activist” At this point it becomes apparent that people are facing their struggles around the world, too much for one online collective to tackle on their own. I imagine local groups of hacktivists have merged into a larger collective called SiegedSec and GhostSec.

OpPhilippines is a huge success in the eyes of the group with an incredible 400GB of private documents, PII, credentials, and source code released online. At this point I’m surprised these attacks aren’t turned into ransomware attacks however this is where hacktivism and ransomware gangs part ways. Hacktivism stands against oppression and ransomware gangs only attack for profit.

We head into May and the Police Bureau of Bangladesh is attacked, access to their webmail is offered for sale online for $750 this includes access to the police bureau data as well. The collective move between Cuba, Russia, Balochistan, and Israel for the next month – “fighting fire with fire” Balochistan police fall victim in their next attack, swiftly followed by a zero-day attack against Israeli PLC devices (55 Berfghof controllers fall victim), the zero-day exploit goes up for sale once the attacks are completed, there’s a market for these exploits! Offering only 3 to customers for $5750, demand is high. A major hit comes late in May against the Cuban regime with a leak online of approximately 6GB including contracts, associations, and other nefarious dealings in Cuba. SiegedSec pop up again with an operation against Colombia, a three-pronged attack against government assets, shutting down ICS control systems, and releasing websites and databases. Files are regularly leaked online to the public. There’s no financial gain, outside of the products they put up for sale, this is clearly about hacktivism, they make sure to keep things aligned with their goals.

In June SiegedSec attacked Longhorn Imaging Center – a medical imaging center – this attack doesn’t sit well with me. This feels wrong, patients record, PHI. I don’t understand their motives. GhostSec distributes exploit proof of concept to their followers, I have access to these exploits though for the time being I have not performed any analysis on them, this investigation is taking up most of my time. I’ll likely review a few in the months to come. SiegedSec then switch gears #OpColombia with a spree of hacks, for those who have been around for long enough, this reminds me of the #LulzSec streak during the peak of their activity back in 2011. The question is, how long can SiegedSec stay ahead of the law? Likely indefinitely, their target is globally distributed with sparse extradition treaties and even sparser resources, likely the group will splinter and disperse before things become too hot, however for now they’re on fire! Later in the month, GhostSec points out that attacking health and educational systems in the name of hacktivism, while easy targets, these attacks cause more harm than good, motivating their followers to focus their energies elsewhere.

More Cuban leaks come in June, specifically from the Ministry of Energy & Mines, Ministry of Foreign Trade, and Cuban government-sponsored cultural site. Leaks are distributed online for all to download.

A new turn of events comes in June as GhostSec hails the actions of an amazing hacker called 0day, his efforts in #Opchildsafety have been lauded by the group, and his exceptional hacking skills have played a significant part in protecting children online. This isn’t the first time I’ve encountered #Opchildsafety, earlier in the year I met a collective involved in the child safety option, namely the leader of W1nterSt0rm and former ETA member W1ntermute #OpJane #OpChildSafety exploring the operation, I learned about the level of OSINT (Open-Source Intelligence Gathering) sophistication deployed to catch online predators. These people are elite and sophisticated though they need support and resources.

Join the fight, Protect the innocent, Exposing the guilty: https://t.me/+ybI8Ut4PuNw4Nzdh

SiegedSec switches focus on attacking the US government, it appears no one is safe, and leaks are dropped online.

ThreatSec makes an appearance for the first time, a search for “new blood” is launched as GhostSec focuses on the Iranian government, the focus is the vindication of the Iranian people, internet connectivity connects the people to Armenian servers and uses Google DNS to route traffic out.

GhostSec Vigilantes
Image from Twitter

Collaboration and Legitimate Alternatives

The emergence of GhostSec has also sparked a broader conversation about the responsibilities of tech companies and governments in combating online extremism. While some view GhostSec as a necessary force to fill the gaps in internet regulation, others argue that law enforcement agencies and technology platforms must work together to address these issues through legal channels.

Indeed, many tech companies have stepped up their efforts to identify and remove extremist content from their platforms, and governments have established specialized units to combat cyberterrorism. Collaboration between public and private sectors, coupled with stringent regulations, could potentially yield a more effective and lawful approach to combating online extremism, more specifically I would like to see more government involvement and support in conjunction with the #OpChildSafety efforts, one that achieves more and more media coverage.

Who is GhostSec?

According to online sources, and self-reporting, don’t worry I’m not outing anyone here, they collectively describe themselves. #GhostSec appears to comprise of the following online identities: @SebastianDAlex @YounesAnonymous @wond3rghost @YourAnonWolf @Denrow1337 @shdwpnda @squad3o3 @An0nAKn0wledge. These personas only represent who or what GhostSec really is, I assume there’s collaboration, with groups like Anonymous, SiegedSec, Stormous, ThreatSec and who knows how many countless others. This all just adds to the mystery of who GhostSec really are and when their next attack will drop.

Conclusion

GhostSec, the enigmatic hacking group on a cyber crusade, raises pertinent questions about the fine line between cybersecurity activism and cyber vigilantism. Their actions against online extremism demonstrate a determination to protect the digital world from terrorist propaganda, yet they operate in a murky realm of ethics and legality. SiegedSec on the other hand appears to be more vigilante attacking targets at random, with a slight messaging conflict with GhostSec, which who knows groups like these often splinter when members have differing opinions. Similar instances occur in the online collective known as Anonymous, attacks are decentralized, and often the intention is focused on injustice however the targets are rarely associated and often cause more damage than is useful in my opinion, though there was a time when Anonymous lived up to the same hacktivism outlook as GhostSec do today. These ideas are all my own opinion and do not reflect the opinion of my organization, simply a collection of thoughts and ideas on this topic.

I have long been an advocate of security fundamentals, in this journey through hacktivism, we’ve learned that Government agencies around the world, industrial control systems, satellites, mail servers, radio stations, IoT devices, police stations, and more were all attacked, and breached likely due to poor security practices. Let this serve as a reminder to keep your environments and networks protected with patch management, network segmentation, user education, penetration testing services with Altimetrik, strong password policies, deployment of MFA, firewalls, IDS, backup and disaster recovery, continuous monitoring, and incident response and encrypting all sensitive data stores.

As we navigate the ever-evolving landscape of cybersecurity, the story of GhostSec serves as a reminder of the complex challenges we face in balancing freedom, security, and justice in the interconnected world of the internet. The quest to keep the digital domain safe and secure requires the skills of vigilante hackers and the collaboration and cooperation of governments, tech companies, and responsible netizens.

Disclaimer:
All GhostSec & SiegedSec images are private property and are used as a reference. The images used in this content are solely intended for reference purposes. These images have been sourced from publicly available platforms, including but not limited to stock image repositories, websites with Creative Commons licenses, and other open-source image databases. Every effort has been made to ensure that these images are used in accordance with their respective licenses and copyright guidelines. The purpose of incorporating these images as reference is solely for educational and illustrative purposes, to enhance the understanding and clarity of the subject matter. No commercial use or unauthorized distribution of these images is intended. If you are the copyright holder of any of the images used in this content and believe that their use infringes upon your rights, please contact us immediately, and we will promptly address the issue by either obtaining the necessary permissions or removing the images from the content. We encourage users to respect copyright laws and adhere to licensing terms when using images sourced from external platforms. Always ensure proper attribution and compliance with copyright regulations before utilizing images in your own work.

Picture of Aladdin Elston

Aladdin Elston

Latest Reads

Subscribe

Suggested Reading

Ready to Unlock Your Enterprise's Full Potential?