Activism, or Illegal Activity? The Truth About Hacktivist DDoS Attacks
For over five years, DDoS attacks have been touted in some circles as the next frontier in protests, an online form of a sit-in that disrupts a business or organization’s ability to conduct its daily activities. “It’s peaceful”, hacktivists in favor of this tactic argue.
No one is physically threatened or made to feel unsafe. There’s no chance of clashes between protesters and police, no chance of associated riots.
While that may all be true, there is one fundamental difference between conventional protests and DDoS attacks: protests, at least in the United States and similar democratic countries, are legal.
The right to protest – peacefully, at least – is protected alongside the right to freedom of expressions. Conversely, DDoS attacks are not legal. Not at all.
Ask Martin Gottesfeld
Earlier this year, biotech professional Martin Gottesfeld became the latest DDoS attacker to earn a high-profile conviction for his online assaults.
Unlike some of the other recent infamous DDoS attackers to be convicted in the court of law, Gottesfeld wasn’t masterminding a DDoS for hire service in order to make money, nor was he taking revenge on a former employer.
As a member of notorious hacktivist group Anonymous, Gottesfeld took aim at a Boston hospital in retaliation for their involvement in a custody case that saw two Connecticut parents lose custody of their teenage daughter for what the hospital claimed was medical abuse.
Using his own malware, Gottesfeld assembled a botnet of over 40,000 devices which he then used to flood the hospital with junk data. A classic example of a distributed denial of service attack, this left hospital networks unavailable for over two weeks, which also meant staff were unable to access internet services used to treat patients in this time.
He also attacked a residential treatment facility that housed the teenage girl in question while the custody case was ongoing.
Gottesfeld claimed he perpetrated his attacks because he believed he was helping to save the girl’s life. He faces up to 15 years in prison and $500,000 in fines, not including possible restitution.
The Specific Violations
Distributed denial of service attacks are a criminal offense under the Computer Fraud and Abuse Act (CFAA), which expressly forbids causing a program, transmission, information, code or command that results in damage to protected computers.
While some may argue about what actually constitutes damage and whether or not the effects of DDoS attacks qualify, the law is clear: damage is any impairment to the availability and integrity of a system, program, information or data.
While DDoS attacks may have ancillary effects and consequences, the number one thing they are designed to do is impair availability. This is the very definition of damage under the CFAA, and it’s what has allowed DDoS attackers ranging from amateurs using DDoS for hire services to professional attackers to hacktivists to be arrested, charged and convicted of computer crimes.
Gottesfeld in particular has been convicted of conspiracy to intentionally damage protected computers, and intentionally damaging protected computers.
In All Fairness
There’s a false perception amongst the general population as well as amongst perpetrators that computer crimes are somehow not as ‘real’ or damaging as other types of crime.
Ask the targets of DDoS attacks and they could tell you the damages associated with these attacks are just as real as the damages associated with crimes such as burglary and fraud.
The hospital attacked by Gottesfeld suffered direct financial damages of $300,000 and lost out on a further estimated $300,000 while its fundraising platform was unavailable. This is saying nothing of the treatments that were impeded while the network was down.
As far as DDoS damages go, $300,000 isn’t all that bad for outages spanning two weeks. For many businesses, DDoS attacks can cause six or seven figures worth of damage in just hours.
While points about DDoS attacks as a form of protest having the potential to reduce protest-related violence are well taken, hacktivists and their supporters need to consider that these online attacks do huge amounts of real-world damage. That’s why they’re illegal. No question about it.