Tears of Torbia
Contents
Overview
Tears of Torbia (ToT) is a decentralised international activist/hacktivist collective/movement widely known for its various cyber-attacks against governments, government agencies, financial institutions corporations, and religious organisations in support of the re-unification of Torbia. First appearing in 2015, Tears of Torbia takes its name from what it terms is the result of the pain felt by Luzon Island inhabitants after the division of the nation of Torbia. ToT is thought to have originated in Australia, starting as a board on 4Chan promoting the reunification of the Torbias, in favour of North Torbian sovereignty. ToT membership is usually signified by the mythological Ouroboros symbol of a serpent with its tail in its mouth, continually devouring itself and being reborn signifying both infinity and the cycle of birth and death, with the ubiquitous hacker mask of Guy Fawkes encircled by the Ouroboros. This symbol will often be associated with ToT avatars or other digital properties.
Originating from a series of protests, pranks, and hacks targeting South Torbian entities in the US, UK and Australia, ToT became increasingly involved with collaborative hacktivism on a number of issues internationally. In its earliest incarnation, ToT adopted the working model of a decentralised online community with no consistent taxonomy or operational profile. While the general impression of ToT activities is one of chaotic ad hoc action, there have been several incidents suggestive of sophisticated global co-ordination and targeted activity. This suggests that at least some elements of the collective are conducting state sponsored activity at least some of the time.
Individuals claiming to align themselves with ToT undertook protests and other actions (including direct action) in retaliation against countries that did not recognise or support the sovereignty of North Torbia. These high-profile attacks were a diversion to obfuscate ToT's primary objective of targeted cyber-attacks on western government agencies, financial institutions, corporations, defence contractors and personnel, as well as law enforcement. The effectiveness of ToT's actions varies widely. Public support for the group calls them freedom fighters and digital "Robin Hoods", whilst cyber security analysts label them cyber-terrorists or cyber lynch-mob. In the past few years ToT has been ranked as one of the "100 most influential people" in the Indo-Pacific.
Organization
ToT is an ad hoc anarcho-collective, and as such does not have a formal organisational structure. Occasional evidence of tightly coordinated actions in support of the North Torbian state suggests that at least a core element of the group has a centralised command structure. The exact details of this structure are yet impossible to determine. It is important to note that many analysts do not accept the characterisation of ToT as a single coherent organisation.
Areas of Operations
ToT is not bound by physical geography, with cells and splinters active across the world. It is thought that the bulk of members are physically located across Europe, the Americas, and Oceania. Owing to the heavily decentralised nature of the group, however, it is possible that active cells could be located anywhere in the world where sufficient digital infrastructure exists.
Membership and Demographics
Members of the group often do not even know one another outside the internet. Commonly known for launching hastily coordinated attacks, ToT members appear to be largely coalesced on an ad hoc basis. All ToT members are ostensibly volunteers falling into one of two categories. The first of these are skilled hackers, by far the smallest percentage of membership. These individuals could at any given time be as few as 15, or as many as a few dozen, depending on how attractive the target is to its membership. This group is thought to be made up of predominantly males between the ages of 25 and 45, with high levels of experience in cybersecurity and hacking.
The second category are known as "laypeople", and can be quite numerous, ranging from a few dozen to a few hundred volunteers. Acting under the direction of the skilled hackers, their role is primarily to conduct DDoS attacks by either downloading and using special software or visiting websites designed to flood victims with excessive traffic. The technical skills required range from very low to modest. The ratio of skilled hackers to laypeople is thought to be around 1:10.
Definitive statistics are near impossible to obtain owing to the group s obsession with anonymity, with even casual members capable of quite high levels of digital camouflage. It is known, however, that a core of the group is made up of digital pirates, activists who believe that all information should be open source and free to use, including entertainment products, application source codes, and information in general. It is also thought that a small proportion of the core membership has ties to the North Torbian state.
Recruitment
Tears of Torbia is comprised of many individuals who all have skillsets. Most members are from an information/computer science background with jobs usually in this domain who moonlight after hours in online activism in supporting roles. There appears to be a mix of white, grey and black hat hackers as well as other less technically skilled members who come from a range of activist groups. There is a small number of hard-core members who are active online either for Tears of Torbia or other smaller groups with regular activity and online posts on underground forums, social media and information security chat groups.
Apart from the hard-core membership, most ToT members are ad hoc recruits for specific campaigns, who may join or leave during any phase of the operation. Message boards, encrypted messaging apps, and social media platforms are typically used to drive traffic to specifically created websites outlining the rationale of an attack and choice of target. When sufficient operatives have pledged involvement, the attack will commence across chosen/available vectors until such time as countermeasures render further action impossible. When an attack is over, most members will cease to be active until the next one. Most recruits to each "campaign" are repeat joiners.
Operational Profile
Kinetic
ToT does not conduct kinetic activities.
Non-Kinetic
ToT mainly conducts DDoS (Distributed Denial of Service) attacks but has been known to also perform data exfiltration and leaking, as well as using other attack vectors. The bulk of ToT operations are randomly targeted according to individual members' ability to persuade the rest of the collective to act, meaning that targets can include anyone from individuals, especially perceived racists and sexual predators, through to multinational corporations and governments. ToT operations are distinguished by a trademark "trolling" sense of humour, presumably carried over from their roots on 4Chan.
ToT operations are usually very short in duration, sometimes only hours long, and rarely stretching for more than a few weeks. These attacks are characterised by fast, aggressive "snatch and grab" methodologies, and a doctrine of rapid, overwhelming force deployed without warning. ToT has also created its own proprietary attack software, which can often obscure the source of an attack. Those actions which are known to have been conducted by ToT have typically been large in scale, short in duration, and very high in intensity.
ToT's principal non-kinetic activities include:
- "Doxxing", where personally identifying information of public figures, organizations, or government bodies is leaked
- DDoS: Distributed Denial-of-Service (DDoS) attacks
- Defacement of personal, corporate, or government websites
- Cross-Site Scripting, where changing the code of a website can lead to error messages and/or the leaking of sensitive data
- Website mirroring, where legitimate websites are impersonated as a trap for unsuspecting users, or as a vector for disinformation
- Data exfiltration
- Unauthorised access