Hacktivist Group Summons Allies and Hackers to Unite Against Govt. of India

Summary

 
Category: Adversary Intelligence Threat Type: Hacktivism Industry: Government & Private Region: India
  Update 2: 13 June 2022, 18:30 IST CloudSEK’s researchers captured a member of the DragonForce forum executing the purported DDOS attack on the BJP official website. The IP address in the image matches the BJP’s server’s IP address (ie.104[.]18[.]130[.]37). 
Image depicting attackers implementing DDOS attacks on the BJP website
Image depicting attackers implementing DDOS attacks on the BJP website
  In addition to that, CloudSEK’s Researchers’ identified a threat actor group, circulating contact numbers of Indian Police personnel with WhatsApp chat links, in the Instagram comment section of the DragonForce. Identical content was uncovered on the hacktivist group’s forum as well. 
Phone numbers of Police Personnel were exposed in the Instagram comment section
Phone numbers of Police Personnel were exposed in the Instagram comment section
 

DragonForce TTPs

A comprehensive analysis of the threat revealed possible TTPs of the group:
  • As mentioned previously, the group utilizes Google dorks to identify targets. This enables them to fetch targets of their own choice, based on the vulnerability they want to target. 
  • For Instance, the actor group targeted the knowledge and resource sharing website of the Govt. of India ( https//krcnet[.]moes[.]gov[.]in/user/register ). An exact link was shared on the group's forum for individuals to target.  This website allows file types such as png, gif, jpg, etc. to be uploaded. It permits image uploads up to 250 MB, which could have been manipulated by the group, to deface the website. 
  • This website could have been discovered by the actors through google dorks such as: 
    • “allowed file types: png gif jpg txt site:gov.in”
    • “allowed file types: png gif jpg txt site:com”
    • “allowed file types: png gif jpg txt site:net.in”
    • “allowed file types: png gif jpg txt site:in”
    • “allowed file types: png gif jpg txt site:ac.in”
    • “allowed file types: png gif jpg txt site:com”
    • “allowed file types: png gif jpg txt”
  • Domains with .gov.in, .com, .net.in, .in, and .ac.in are primarily being targeted by the attackers. 
  • The threat actor group is utilizing a tool named SC deface (or Script Deface) to deface the target websites. This tool has pre-built defacing codes that can be inserted into target websites, with designs for a user to download. A user can modify the HTML code and design according to their intention. 
Screenshot from the threat actor group’s forum depicting an actor sharing knowledge about abusing Drupal
Screenshot from the threat actor group’s forum depicting an actor sharing knowledge about abusing Drupal
  Update 1: 13 June 2022, 14:30 IST The group’s latest post on their website mentions that they will conduct a large-scale DDOS attack at 10:30 PM Malaysian Time (08:30 PM IST) on 2 Indian websites:
  • Indian Army Veteran Site, allowing direct IP access to everyone: https//www[.]Indianarmyveteran[.]gov[.]in/, with IP address 164[.]100[.]228[.]84
  • BJP’s website: https//www[.]bjp[.]org/home with IP address 104[.]18[.]130[.]37
The actor group specifically mentioned port 443 for the attack. BJP’s website has Cloudflare technology deployed while the Indian Army Veteran site doesn’t have any such measures in place. Latest update on DragonForce website   A Possible TTP for the Host Net attack could be:
  • The attacker exploited and bypassed the Admin SQL and uploaded a reverse shell into the system.
    • The actor abused google dork and used ./login with site parameter as “:in” for India.
    • The actor bypassed the Admin SQL using an exploit written in PHP language and uploaded three files for reverse shell access into the system. These shell scripts were also written in PHP language.
13 June 2022, 10:30 IST

Executive Summary

THREAT IMPACT MITIGATION
  • Indian politicians’ recent remarks on the prophet prompted the hacktivist group DragonForce to launch campaign OpsPatuk against the Indian Government.
  • The group has also solicited the support of “Muslim Hackers All Over The World, Human Right Organisations and Activists.” [sic]
  • Religiously and politically motivated campaigns such as OpsPatuk can lead to a breach of some sensitive government websites containing PII, military ops, and other government secrets, which in the wrong hands can enable targeted attacks on the country and its citizens.
  • Monitor for anomalies in user accounts and internet exposed web applications.
  • Hosting providers and government Cyber response teams to be on high alert.

Analysis & Attribution

Information from Social Media
  • On 10 June 2022, CloudSEK’s contextual AI digital risk platform XVigil discovered a Tweet posted by a Malaysian hacktivist group going by the name DragonForce, calling for attacks on Indian Government websites by Muslim hackers all around the world.
  • The group’s primary objective of the attack, as claimed by them, was to get back at the Indian Government for controversial comments on Prophet Muhammad by some Indian politicians.
  • to enable their allies to launch attacks, the group has shared:
    • Social media credentials of Indian nationals, especially Facebook accesses
    • Purported username and password combos to SBI bank accounts
  SBI Bank credentials
Leaked credentials to log into social media accounts
Leaked credentials to log into social media accounts
   
  • The group has named this operation OpsPatuk, which translates to “strike back”. The group has also shared evidence that they have hacked the following Indian government websites:
    • indembassyisrael[.]gov[.]in
    • manage[.]gov[.]in
    • extensionmoocs[.]manage[.]gov[.]in
    • cia[.]manage[.]gov[.]in
    • cfa[.]manage[.]gov[.]in

Information for Underground Forums

Upon further investigation, CloudSEK discovered multiple threat actors joining this operation and hacking various Indian websites. A few of these posts are listed below.
  • An OpsPatuk hacker claims to have compromised one of the servers of Host Net India (216[.]48[.]179[.]60), and has shared sample images to substantiate the claims.
  • Further research suggests that the initial attack seems to be on web servers compromised using shared hosting exploits. The attackers could have also exploited and bypassed admin SQL or abused Google dork index to upload a reverse shell to the system.
List of shared hosting exploits as provided by the threat actor
List of shared hosting exploits as provided by the threat actor
 
  • Another member of the OpsPatuk operation was found discussing a potential cyber attack on the official website of BJP, the Indian ruling party.
Screenshot of the threat actor’s post on the underground forum
Screenshot of the threat actor’s post on the underground forum
 

About DragonForce

  • The group behind this cyber call to arms, DragonForce Malaysia, is a pro-Palestinian hacktivist group based in Malaysia.
  • This group owns and operates a forum where they post announcements and discuss their latest activities.
  • The group also has Instagram and Facebook pages along with multiple Telegram channels. However, most content is replicated across their website and social media handles.
  • The group has been conducting regular recruitment and promotion campaigns using Tiktok and Instagram reels.
  • CloudSEK discovered a TikTok hashtag #opspatuk, with posts calling for action against the Indian government. These posts have over 2.4 million views, at the time of publishing this report.
Posts on TikTok calling for actions against the Indian government under the hashtag #opspatuk
Posts on TikTok calling for actions against the Indian government under the hashtag #opspatuk
 

DragonForce’s Official Communication Channels

Forum : https//dragonforce[.]io
Radio : https//radio[.]dragonforce[.]io
Facebook : https//fb[.]me/dragonforcedotio
Telegram : https//t[.]me/dragonforceio
Twitter : https//twitter[.]com/dragonforceio
Instagram : https//instagram[.]com/dragonforceio
YouTube : https//www.youtube[.]com/channel/UC9GycRXuy7-WMULPBkBp4Bw

Target Selection

The group has shared a list of sites that they are encouraging their supporters and allies to target. Apart from several Indian government websites, this also includes private Indian:
  • Logistics and Supply Chain Companies
  • Educational institutions
  • Technology and Software Companies
  • Web Hosting Providers
Image depicting tweet screenshot of the Dragon Force threat actor group’s call to unite against India
Image depicting tweet screenshot of the Dragon Force threat actor group’s call to unite against India
 

Threat Groups Supporting DragonForce Malaysia

DragonForce has previously been associated with the following groups, the majority of which appear to be from Malaysia or Pakistan.
  • Revolution Pakistan
  • RileksCrew
  • T3DimensionMalaysia
  • UnitedMuslimCyberArmy
  • CodeNewbie
  • PhantomCrews
  • LocalhostMalaysia
  • HarimauMalayaCyberArmy
  • GroupTempurRakyatMalaysia
In response to DragonForce’s clarion call, Team Revolution Pakistan has already hacked Time8, an Assam based digital news channel. During a live news stream, the channel’s transmission was interrupted and replaced by Pakistan’s flag and background hymn praising Prophet Muhammad (PBUH).
Image depicting hacked Time8 Youtube live stream with Pakistani flag as the image.
Image depicting hacked Time8 Youtube live stream with Pakistani flag as the image.
  It is highly likely that such activities, by the group’s supporters, will gain momentum in the coming days.

Initial Attack Vectors

So far, DragonForce and its supporters have primarily employed the following server-side and client-side attacks to target victims:
Server Side Attacks Client Side attacks
  • Password spraying using compromised accounts on social media sites.
  • Target hosting providers to gain unauthorized access to hosted websites.
  • Local File Inclusion attacks on web applications.
  • Leveraging widely available tools for DDOS.
  • Usage of Microsoft document exploits.
  • Malware and ransomware.
  • Phishing campaigns using SMS and WhatsApp messages with malicious files.
 

Persistence Mechanism

DragonForce and its supporters have been relying on web shells to maintain their foothold on target organizations’ networks.

Conclusion

Hacktivism, also known as hactivism, is the use of computer-based techniques such as hacking as a form of civil disobedience to promote a political agenda or social change on the Internet. With the growing age of digitization and the paradigm shift brought about by the global pandemic, people all over the world have begun to use this tactic on a large scale. This has been especially prevalent after the recent Russia - Ukraine conflict, which began in February 2022, which saw the emergence of several hacktivists on both sides. In light of DragonForce’s forceful actions and threats, it is important for Indian firms and the government entities to secure their websites, assets, and endpoints to prevent further escalation of attacks. CloudSEK will continue to investigate this developing pattern of attacks and provide timely updates to bolster the security of the Indian government and private entities.

References

Table of Contents

Request an easy and customized demo for free