Multiple Indian Entities Targeted by the Khalifah Cyber Crew Under the #OpsBantaiKaw2 Campaign

CloudSEK’s contextual AI digital risk platform XVigil discovered a tweet by the threat group “Khalifah Cyber Crew” announcing a new campaign “OpsBantaiKaw2” for targeting Indian websites.
Updated on
April 19, 2023
Published on
December 1, 2022
Read MINUTES
5
Subscribe to the latest industry news, threats and resources.
 
Category: Adversary Intelligence Industry: Multiple Motivation: Hacktivism Country: India Source*: D: Not usually reliable 4: Doubtfully True

Executive Summary

THREAT IMPACT
  • Hacktivist groups motivate individuals to target Indian entities through data leaks or performing DDoS attacks.
  • Leaked PII information like PAN cards, addresses, and phone numbers of Indians have also been discovered on the telegram channel.
  • Threat actors can bring down websites with DoS and DDoS attacks, thereby affecting business continuity.
  • Threat actors could orchestrate social engineering schemes, phishing attacks, and even identity theft.

Analysis and Attribution

Information from the Post

  • CloudSEK’s contextual AI digital risk platform XVigil discovered a tweet by the threat group “Khalifah Cyber Crew” announcing a new campaign “OpsBantaiKaw2” for targeting Indian websites.
  • The threat actors mentioned in their Telegram group that the motivation behind the attack was “discrimination and cruelty of the Indian monarchy towards our Muslim brothers” and “news about the prohibition of wearing the hijab for Indian Muslim women”.
  • CloudSEK researchers found that most of the data the hacktivist group claimed to have “hacked” under this campaign, was publicly available.
[caption id="attachment_21727" align="alignnone" width="728"]Tweet announcing the “OpsBantaiKaw2” campaign, targeting Indian entities Tweet announcing the “OpsBantaiKaw2” campaign, targeting Indian entities[/caption]

Analysis from Telegram

  • In the first post, the group listed the following targets to launch DDoS attacks:
    • industrykart[.]com
    • gunjfashion[.]com
  • The industrykart[.]com website was later observed to be down according to their post.
  • Based on the posts in Malaysian and Indonesian timezones, it can be implied that both Malaysian and Indonesian actors were involved in this campaign.
  • Another post from the actors falsely claimed to have obtained the data about Indian NGOs from a “gov.in” website. However, our researchers identified the data to be publicly accessible on the website of the National Trust of India.
  • The researchers discovered that the other posts that were being advertised as “leaks” were all publicly accessible data.
  • The forwarded information also included PAN cards of Indian citizens from a Telegram group called “SBCC Learning [Forum]”.

Threat Actor Activity and Rating

Threat Actor Profiling
Active since 19 June 2022
Current Status Active
Point of Contact Twitter, Telegram, Tik Tok
Rating D4 (D: Not usually reliable; 4: Doubtfully True)

References

Appendix

[caption id="attachment_21729" align="alignnone" width="381"]Post by the hacktivist group showing their motivation behind this campaign Post by the hacktivist group showing their motivation behind this campaign[/caption] [caption id="attachment_21730" align="alignnone" width="304"]Threat actors falsely claiming to have obtained data from an Indian entity Threat actors falsely claiming to have obtained data from an Indian entity[/caption] [caption id="attachment_21731" align="alignnone" width="422"]Industrykart.com was observed to be down Industrykart.com was observed to be down[/caption]   [caption id="attachment_21733" align="alignnone" width="425"]Other hacktivist groups on Telegram observed forwarding the old leaks from Indian entities Other hacktivist groups on Telegram observed forwarding the old leaks from Indian entities[/caption]   [caption id="attachment_21734" align="alignnone" width="433"]Screenshots of PAN card being shared in the group Screenshots of PAN card being shared in the group[/caption]    

Get Global Threat Intelligence on Real Time

Protect your business from cyber threats with real-time global threat intelligence data.. 30-day free and No Commitment Trial.
Schedule a Demo
Real time Threat Intelligence Data
More information and context about Underground Chatter
On-Demand Research Services
Dashboard mockup
Global Threat Intelligence Feed

Protect and proceed with Actionable Intelligence

The Global Cyber Threat Intelligence Feed is an innovative platform that gathers information from various sources to help businesses and organizations stay ahead of potential cyber-attacks. This feed provides real-time updates on cyber threats, including malware, phishing scams, and other forms of cybercrime.
Trusted by 400+ Top organisations