Update 2: 13 June 2022, 18:30 IST
CloudSEK’s researchers captured a member of the DragonForce forum executing the purported DDOS attack on the BJP official website. The IP address in the image matches the BJP’s server’s IP address (ie.104[.]18[.]130[.]37).
Government & Private
[caption id="attachment_19542" align="aligncenter" width="323"]
Image depicting attackers implementing DDOS attacks on the BJP website[/caption]
In addition to that, CloudSEK’s Researchers’ identified a threat actor group, circulating contact numbers of Indian Police personnel with WhatsApp chat links, in the Instagram comment section of the DragonForce. Identical content was uncovered on the hacktivist group’s forum as well.
[caption id="attachment_19543" align="aligncenter" width="828"]
Phone numbers of Police Personnel were exposed in the Instagram comment section[/caption]
A comprehensive analysis of the threat revealed possible TTPs of the group:
- As mentioned previously, the group utilizes Google dorks to identify targets. This enables them to fetch targets of their own choice, based on the vulnerability they want to target.
- For Instance, the actor group targeted the knowledge and resource sharing website of the Govt. of India ( https[:]//krcnet[.]moes[.]gov[.]in/user/register ). An exact link was shared on the group's forum for individuals to target. This website allows file types such as png, gif, jpg, etc. to be uploaded. It permits image uploads up to 250 MB, which could have been manipulated by the group, to deface the website.
- This website could have been discovered by the actors through google dorks such as:
- “allowed file types: png gif jpg txt site:gov.in”
- “allowed file types: png gif jpg txt site:com”
- “allowed file types: png gif jpg txt site:net.in”
- “allowed file types: png gif jpg txt site:in”
- “allowed file types: png gif jpg txt site:ac.in”
- “allowed file types: png gif jpg txt site:com”
- “allowed file types: png gif jpg txt”
- Domains with .gov.in, .com, .net.in, .in, and .ac.in are primarily being targeted by the attackers.
- The threat actor group is utilizing a tool named SC deface (or Script Deface) to deface the target websites. This tool has pre-built defacing codes that can be inserted into target websites, with designs for a user to download. A user can modify the HTML code and design according to their intention.
[caption id="attachment_19544" align="aligncenter" width="1211"]
Screenshot from the threat actor group’s forum depicting an actor sharing knowledge about abusing Drupal[/caption]
Update 1: 13 June 2022, 14:30 IST
The group’s latest post on their website mentions that they will conduct a large-scale DDOS attack at 10:30 PM Malaysian Time (08:30 PM IST) on 2 Indian websites:
- Indian Army Veteran Site, allowing direct IP access to everyone: https[:]//www[.]Indianarmyveteran[.]gov[.]in/, with IP address 164[.]100[.]228[.]84
- BJP’s website: https[:]//www[.]bjp[.]org/home with IP address 104[.]18[.]130[.]37
The actor group specifically mentioned port 443 for the attack. BJP’s website has Cloudflare technology deployed while the Indian Army Veteran site doesn’t have any such measures in place.
Latest update on DragonForce website
A Possible TTP for the Host Net attack could be:
13 June 2022, 10:30 IST
- The attacker exploited and bypassed the Admin SQL and uploaded a reverse shell into the system.
- The actor abused google dork and used ./login with site parameter as “:in” for India.
- The actor bypassed the Admin SQL using an exploit written in PHP language and uploaded three files for reverse shell access into the system. These shell scripts were also written in PHP language.
- Indian politicians’ recent remarks on the prophet prompted the hacktivist group DragonForce to launch campaign OpsPatuk against the Indian Government.
- The group has also solicited the support of “Muslim Hackers All Over The World, Human Right Organisations and Activists.” [sic]
- Religiously and politically motivated campaigns such as OpsPatuk can lead to a breach of some sensitive government websites containing PII, military ops, and other government secrets, which in the wrong hands can enable targeted attacks on the country and its citizens.
- Monitor for anomalies in user accounts and internet exposed web applications.
- Hosting providers and government Cyber response teams to be on high alert.
Analysis & Attribution
Information from Social Media
- On 10 June 2022, CloudSEK’s contextual AI digital risk platform XVigil discovered a Tweet posted by a Malaysian hacktivist group going by the name DragonForce, calling for attacks on Indian Government websites by Muslim hackers all around the world.
- The group’s primary objective of the attack, as claimed by them, was to get back at the Indian Government for controversial comments on Prophet Muhammad by some Indian politicians.
- to enable their allies to launch attacks, the group has shared:
- Social media credentials of Indian nationals, especially Facebook accesses
- Purported username and password combos to SBI bank accounts
SBI Bank credentials
[caption id="attachment_19508" align="alignnone" width="1165"]
Leaked credentials to log into social media accounts[/caption]
- The group has named this operation OpsPatuk, which translates to “strike back”. The group has also shared evidence that they have hacked the following Indian government websites:
Information for Underground Forums
Upon further investigation, CloudSEK discovered multiple threat actors joining this operation and hacking various Indian websites. A few of these posts are listed below.
- An OpsPatuk hacker claims to have compromised one of the servers of Host Net India (216[.]48[.]179[.]60), and has shared sample images to substantiate the claims.
- Further research suggests that the initial attack seems to be on web servers compromised using shared hosting exploits. The attackers could have also exploited and bypassed admin SQL or abused Google dork index to upload a reverse shell to the system.
[caption id="attachment_19509" align="alignnone" width="960"]
List of shared hosting exploits as provided by the threat actor[/caption]
- Another member of the OpsPatuk operation was found discussing a potential cyber attack on the official website of BJP, the Indian ruling party.
[caption id="attachment_19510" align="alignnone" width="1999"]
Screenshot of the threat actor’s post on the underground forum[/caption]
- The group behind this cyber call to arms, DragonForce Malaysia, is a pro-Palestinian hacktivist group based in Malaysia.
- This group owns and operates a forum where they post announcements and discuss their latest activities.
- The group also has Instagram and Facebook pages along with multiple Telegram channels. However, most content is replicated across their website and social media handles.
- The group has been conducting regular recruitment and promotion campaigns using Tiktok and Instagram reels.
- CloudSEK discovered a TikTok hashtag #opspatuk, with posts calling for action against the Indian government. These posts have over 2.4 million views, at the time of publishing this report.
[caption id="attachment_19511" align="alignnone" width="1764"]
Posts on TikTok calling for actions against the Indian government under the hashtag #opspatuk[/caption]
DragonForce’s Official Communication Channels
The group has shared a list of sites that they are encouraging their supporters and allies to target. Apart from several Indian government websites, this also includes private Indian:
- Logistics and Supply Chain Companies
- Educational institutions
- Technology and Software Companies
- Web Hosting Providers
[caption id="attachment_19512" align="alignnone" width="1024"]
Image depicting tweet screenshot of the Dragon Force threat actor group’s call to unite against India[/caption]
Threat Groups Supporting DragonForce Malaysia
DragonForce has previously been associated with the following groups, the majority of which appear to be from Malaysia or Pakistan.
- Revolution Pakistan
In response to DragonForce’s clarion call, Team Revolution Pakistan has already hacked Time8, an Assam based digital news channel. During a live news stream, the channel’s transmission was interrupted and replaced by Pakistan’s flag and background hymn praising Prophet Muhammad (PBUH).
[caption id="attachment_19513" align="alignnone" width="819"]
Image depicting hacked Time8 Youtube live stream with Pakistani flag as the image.[/caption]
It is highly likely that such activities, by the group’s supporters, will gain momentum in the coming days.
Initial Attack Vectors
So far, DragonForce and its supporters have primarily employed the following server-side and client-side attacks to target victims:
|Server Side Attacks
||Client Side attacks
- Password spraying using compromised accounts on social media sites.
- Target hosting providers to gain unauthorized access to hosted websites.
- Local File Inclusion attacks on web applications.
- Leveraging widely available tools for DDOS.
- Usage of Microsoft document exploits.
- Malware and ransomware.
- Phishing campaigns using SMS and WhatsApp messages with malicious files.
DragonForce and its supporters have been relying on web shells to maintain their foothold on target organizations’ networks.
Hacktivism, also known as hactivism, is the use of computer-based techniques such as hacking as a form of civil disobedience to promote a political agenda or social change on the Internet. With the growing age of digitization and the paradigm shift brought about by the global pandemic, people all over the world have begun to use this tactic on a large scale. This has been especially prevalent after the recent Russia - Ukraine conflict, which began in February 2022, which saw the emergence of several hacktivists on both sides.
In light of DragonForce’s forceful actions and threats, it is important for Indian firms and the government entities to secure their websites, assets, and endpoints to prevent further escalation of attacks.
CloudSEK will continue to investigate this developing pattern of attacks and provide timely updates to bolster the security of the Indian government and private entities.