| Category:
Adversary Intelligence |
Industry:
Multiple |
Motivation:
Hacktivism |
Country:
India |
Source*:
D: Not usually reliable
4: Doubtfully True |
Executive Summary
| THREAT |
IMPACT |
- Hacktivist groups motivate individuals to target Indian entities through data leaks or performing DDoS attacks.
- Leaked PII information like PAN cards, addresses, and phone numbers of Indians have also been discovered on the telegram channel.
|
- Threat actors can bring down websites with DoS and DDoS attacks, thereby affecting business continuity.
- Threat actors could orchestrate social engineering schemes, phishing attacks, and even identity theft.
|
Analysis and Attribution
Information from the Post
- CloudSEK’s contextual AI digital risk platform XVigil discovered a tweet by the threat group “Khalifah Cyber Crew” announcing a new campaign “OpsBantaiKaw2” for targeting Indian websites.
- The threat actors mentioned in their Telegram group that the motivation behind the attack was “discrimination and cruelty of the Indian monarchy towards our Muslim brothers” and “news about the prohibition of wearing the hijab for Indian Muslim women”.
- CloudSEK researchers found that most of the data the hacktivist group claimed to have “hacked” under this campaign, was publicly available.
[caption id="attachment_21727" align="alignnone" width="728"]
Tweet announcing the “OpsBantaiKaw2” campaign, targeting Indian entities[/caption]
Analysis from Telegram
- In the first post, the group listed the following targets to launch DDoS attacks:
- industrykart[.]com
- gunjfashion[.]com
- The industrykart[.]com website was later observed to be down according to their post.
- Based on the posts in Malaysian and Indonesian timezones, it can be implied that both Malaysian and Indonesian actors were involved in this campaign.
- Another post from the actors falsely claimed to have obtained the data about Indian NGOs from a “gov.in” website. However, our researchers identified the data to be publicly accessible on the website of the National Trust of India.
- The researchers discovered that the other posts that were being advertised as “leaks” were all publicly accessible data.
- The forwarded information also included PAN cards of Indian citizens from a Telegram group called “SBCC Learning [Forum]”.
Threat Actor Activity and Rating
| Threat Actor Profiling |
| Active since |
19 June 2022 |
| Current Status |
Active |
| Point of Contact |
Twitter, Telegram, Tik Tok |
| Rating |
D4 (D: Not usually reliable; 4: Doubtfully True) |
References
Appendix
[caption id="attachment_21729" align="alignnone" width="381"]
Post by the hacktivist group showing their motivation behind this campaign[/caption]
[caption id="attachment_21730" align="alignnone" width="304"]
Threat actors falsely claiming to have obtained data from an Indian entity[/caption]
[caption id="attachment_21731" align="alignnone" width="422"]
Industrykart.com was observed to be down[/caption]
[caption id="attachment_21733" align="alignnone" width="425"]
Other hacktivist groups on Telegram observed forwarding the old leaks from Indian entities[/caption]
[caption id="attachment_21734" align="alignnone" width="433"]
Screenshots of PAN card being shared in the group[/caption]
