The Fractured Flag: GhostSec

← Home·Gallery·Techniques

Threat Intelligence Tarot

wands · 8

Hacktivist (international collective)

★★★★★

risk 3/5

✦ The Fractured Flag ✦

GhostSec

Ghost Security Group

ISIS infrastructure (2015–2016)Israel (2023)Industrial control systemsBelarus

Active since ~2015 · Anti-ISIS operations (originally), Ransomware (pivot 2023), Mixed hacktivist-criminal

It began as vigilantes hunting ISIS propaganda online. Then it partnered with ransomware operators and targeted water plants. The Fractured Flag is the story of hacktivist groups without institutional accountability - the mission drifts, the allies change, and what begins as principle ends as crime.

Tactics & Techniques

RCN

RDV

INI

EXC

PRS

PRV

EVA

CRD

DSC

LAT

COL

EXF

IMP

T1498

Network Denial of Service

Impact

T1486

Data Encrypted for Impact

Impact

T1190

Exploit Public-Facing Application

Initial Access

T1491.002

External Defacement

Impact

Notable Operations

◆Anti-ISIS website takedowns and account reporting (2015–2016)
◆Israel water facility SCADA system claims (2023)
◆GhostLocker ransomware deployment (2023 pivot)
◆Collaboration with Stormous ransomware group

Defenses

▸
OT/ICS network monitoring for anomalous access attempts
NIST SP 800-82 ↗
▸
DDoS resilience for internet-facing infrastructure
NIST CSF: PR.DS ↗
▸
Ransomware-resistant backup architecture
CIS Control 11 ↗
▸
Vulnerability management for internet-exposed OT systems
ICS-CERT guidance ↗

Reversed: Their Weakness

GhostSec's pivot to ransomware destroyed its credibility as a hacktivist group - the alliance with criminal operators and deployment of GhostLocker demonstrated how ideologically-motivated groups can be co-opted by financial interests when loose organizational structure provides no accountability.

Share this adversary profile

← → arrow keys to browse

swipe to browse

← PreviousThe Volunteer Corps Next →The Red Star

Related Adversaries

Data sourced from MITRE ATT&CK. For educational purposes.