On 20th May 2023, CloudSEK’s contextual AI digital risk platform XVigil discovered a post made by a hacktivist group “Mysterious Team Bangladesh” claiming to have conducted a DDoS attack on Multiple UAE government websites. To establish proof of conducting a successful DDoS attack, evidence was shared along with the actor’s Telegram post. The actors shared links to Check-host.net, a web utility that provides real-time information on whether a domain or an IP address is available and responsive - whenever a user tries to reach it. (Refer to the Appendix for more details)

‍

The group is known to use DDOS attacks to harm reputed organizations and government infrastructure.
‍

'Anonymous Sudan’ and other notable hacktivist groups targeting the UAE are both geographically motivated due to political concerns surrounding Sudan's conflict and alleged UAE involvement. The groups exhibit similarities in targeting patterns and geographic focus.

‍

‍

To Note:
Based on past observation, the hacktivist groups have been seen targeting the same set of Government, banking, fintech, etc entities repeatedly, considering their success for the first few times. Also, this is largely done to maintain the traction for their campaigns and gain publicity. 

‍

Information from the Post

The websites targeted by the hacktivist group in this incident are:

Government Websites Targeted in the DDoS Attack

Ministry of Defence : Official Government Portal

Ministry of Energy & Infrastructure : Ministry of Health & Prevention

DDoS Attacks Information & Mitigation

These groups do not use sophisticated attacks, they are primarily known to DDOS and mass scan for sensitive information like backups, SQL files that are exposed. Based on analyzing the activity of the service and Telegram channel we were able to discover methodologies that the group uses to conduct DDoS or DOS attacks as follows:

‍

Threat Actor Profile: Mysterious Team aka Misterious_Team

‍

‍

‍New TTPs for the group 

After tracking the group for quite some time we have gained information regarding the new toolset that they have started using, this includes:

• Raven-Storm toolkit: It is a Python-based tool that can be used for multiple-layer DDoS attacks. The toolkit supports L3(ping), L4(UDP/TCP services) as well as L7(Websites) DDoS attacks. The tool also supports a server mode that connects multiple instances of raven-storm and creates a small botnet. A detailed analysis of the toolset can be found in a previous blog.
• Xerxes: A simple C program that was used by ‘Jester’ to DDoS WikiLeaks and since has gained popularity. The framework works by maintaining a full TCP connection. After making a full TCP Connection it only requires a few hundred requests at long term in regular intervals.
• Hulk: Another Python (now rewritten in GO) based program that stands for ‘HTTP-Unbearable-Load-King’ is another DDoS tool. This tool utilizes the lightweight Go-routines to start a high number of connection pools.

‍

Past TTPs for the group 

The group can be attributed to abusing the HTTP Flooding attack method and DDos utilizing multiple scripts for DDoS attacks, resembling the TTP of the DragonForce group.

• A tool called “./404found.my” could have been used to conduct the attacks on the mentioned websites, based on the present data available. The same tool was used and abused by the DragonForce group to target the Indian Army veteran website, the BJP website, and more in the past. 
• More additional details and analyses of the tool have been conducted in the TTP report of the DragonForce group.

‍

Impact & Mitigation

Impact

• DDoS can leave websites more vulnerable as some security features may be offline due to the attack.
• Damaged infrastructure can cause the collapse of services provided by the website.
• Websites become vulnerable to further attacks.
• Discrepancies for users accessing affected websites and resources

Mitigation

‍

• Deploy load balancers to distribute traffic.
• Enable rate-limiting mechanisms.
• Configure firewalls and routers to filter and block traffic.
• Utilize content delivery networks (CDNs) to distribute traffic.
• Implement bot-detection technologies and algorithms -to identify large-scale web requests from botnets employed by actors to conduct DDOS Attacks

‍

References

• ^#Traffic Light Protocol - Wikipedia
• https://cloudsek.com/threatintelligence/raven-storm-the-multi-threading-tool-employed-by-hacktivists-for-ddos-attacks

‍

Appendix

‍

‍

‍