Multiple Indian Entities Targeted by the Khalifah Cyber Crew Under the #OpsBantaiKaw2 Campaign

December 2, 2022
4
min read

 

Category:

Adversary Intelligence

Industry:

Multiple

Motivation:

Hacktivism

Country:

India

Source*:

D: Not usually reliable
4: Doubtfully True

Executive Summary

THREAT IMPACT
  • Hacktivist groups motivate individuals to target Indian entities through data leaks or performing DDoS attacks.
  • Leaked PII information like PAN cards, addresses, and phone numbers of Indians have also been discovered on the telegram channel.
  • Threat actors can bring down websites with DoS and DDoS attacks, thereby affecting business continuity.
  • Threat actors could orchestrate social engineering schemes, phishing attacks, and even identity theft.

Analysis and Attribution

Information from the Post

  • CloudSEK’s contextual AI digital risk platform XVigil discovered a tweet by the threat group “Khalifah Cyber Crew” announcing a new campaign “OpsBantaiKaw2” for targeting Indian websites.
  • The threat actors mentioned in their Telegram group that the motivation behind the attack was “discrimination and cruelty of the Indian monarchy towards our Muslim brothers” and “news about the prohibition of wearing the hijab for Indian Muslim women”.
  • CloudSEK researchers found that most of the data the hacktivist group claimed to have “hacked” under this campaign, was publicly available.
Tweet announcing the “OpsBantaiKaw2” campaign, targeting Indian entities
Tweet announcing the “OpsBantaiKaw2” campaign, targeting Indian entities

Analysis from Telegram

  • In the first post, the group listed the following targets to launch DDoS attacks:
    • industrykart[.]com
    • gunjfashion[.]com
  • The industrykart[.]com website was later observed to be down according to their post.
  • Based on the posts in Malaysian and Indonesian timezones, it can be implied that both Malaysian and Indonesian actors were involved in this campaign.
  • Another post from the actors falsely claimed to have obtained the data about Indian NGOs from a “gov.in” website. However, our researchers identified the data to be publicly accessible on the website of the National Trust of India.
  • The researchers discovered that the other posts that were being advertised as “leaks” were all publicly accessible data.
  • The forwarded information also included PAN cards of Indian citizens from a Telegram group called “SBCC Learning ”.

Threat Actor Activity and Rating

Threat Actor Profiling
Active since 19 June 2022
Current Status Active
Point of Contact Twitter, Telegram, Tik Tok
Rating D4 (D: Not usually reliable; 4: Doubtfully True)

References

Appendix

Post by the hacktivist group showing their motivation behind this campaign
Post by the hacktivist group showing their motivation behind this campaign

Threat actors falsely claiming to have obtained data from an Indian entity
Threat actors falsely claiming to have obtained data from an Indian entity
Industrykart.com was observed to be down
Industrykart.com was observed to be down

 

Other hacktivist groups on Telegram observed forwarding the old leaks from Indian entities
Other hacktivist groups on Telegram observed forwarding the old leaks from Indian entities

 

Screenshots of PAN card being shared in the group
Screenshots of PAN card being shared in the group

 

 

Tags:
No items found.