Threat Actor Profile – GhostSec

This month we’re introducing you to GhostSec, a threat group with ties to the Anonymous collective, and their shift from hacktivist to financially motivated hacking activities

Threat actor profile: GhostSec

Image 1: Screenshot of GhostSec’s profile from the Threat Context module

Known Aliases

  • GhostSecMafia
  • GSM

Key points

  • GhostSec is a highly organized hacktivist group that has ties with members of the “Anonymous” hacktivist collective.
  • The threat group has a subscription-based premium channel on Telegram, in which they share exclusive content, such as leaks, tutorials, and others with their subscribers

Deep dive

GhostSec is a highly organized hacktivist group associated with the international network hacktivists Anonymous. The group gained its reputation within the Anonymous collective by participating in the #opisis hacktivist initiative against ISIS back in 2015.

In a typical Anonymous operations fashion, the actions of GhostSec are often broadcasted on Twitter and Telegram, showing Targets being subjected to DDoS attacks, system intrusion, webpage defacement, and leaked stolen information.

According to a member of the group, the GhostSec has approximately 16 active members working under its name. Each one has a specific role within the organization where some might work on getting initial access to a target, others might specialize in privilege escalation or lateral movement. They also allegedly help and support each other whenever a member is caught and faces a police investigation. All of this points to a high level of cooperation and organization within the group.

The threat group has participated in numerous campaigns promoted by the Anonymous movement, targeting multiple enterprises, banks, and governments under the pretense of defending Human Rights and the people against corrupt entities.

The list of operations which GhostSec confirmed its participation includes:

In late July 2022, our threat analysts spotted a message posted on the threat group’s Telegram channel with the opening line “Hacktivism does not pay the bills!”. The group shared the launch of their new, subscription-based Telegram channel and service, named GhostSec Mafia Premium, marking the shift from an ideological hacktivist group to a financially motivated cyber mafia organization.

On the other hand, several members left the organization after gaining popularity with #opisis in 2015 to create “Ghost Security Group”, a formal counter-terrorism organization that collaborates with government intelligence agencies, cutting ties with the Anonymous network and the other GhostSec members.

Threat actor Activity Map

Image 2: GhostSec’s Activity Map from the Threat Context module

Want to know more? Sign up for our monthly newsletter or get a demo of our threat intelligence solution. If you are interested in learning how to access this information as Outpost24 customers, please contact your Account Manager for more details.