Malaysian group Hacktivist sees cyberattacks as reward for former BJP spokesperson Nupur Sharma’s remarks about Prophet Muhammad
The Malaysian hacktivist group known as DragonForce has begun targeting India in retaliation for comments by BJP spokesperson Nupur Sharma (now suspended) about the Prophet Muhammad that infuriated Indian Muslims and outraged many. dozen Islamic nations. Operation “OpsPatuk” began on June 6, 2022. At the time of writing, this operation has compromised over 102 websites and continues to list new targets on various social media platforms including Telegram, Twitter and their own DragonForce website, states a Fortinet Threat Alert.
Widely targeted sectors include financial organizations, government entities, and educational institutions. The FortiGuard Threat Research team also observed that hosting providers were one of their main targets, allowing attackers to compromise their customers’ websites. Moreover, the threat group also encouraged other hackers to join the operation.
Hacktivism uses civil disobedience computer strategies such as hacking to advocate for a political agenda or social change on the Internet. While the roots of hacktivism date back to the 1990s, people around the world have recently begun to embrace this strategy on a large scale, thanks to the growing era of digitalization and the paradigm shift brought on by the global pandemic.
The following notice contains details of the operation and the steps that can be taken to mitigate the risks.
What is #OpsPatuk?
#OpsPatuk, aka Operation Patuk, is an ongoing operation led by a Malaysia-based hacktivist group dubbed “DragonForce”. On June 6, 2022, witnessed one of the first activities of the group which branded cyberattacks as a reward for anti-Muslim remarks made by BJP spokesman Nupur Sharma (now suspended) about the Prophet Muhammad and of his third wife, Ayesha. The BJP (Bharatiya Janata Party) is one of India’s major political parties.
What are the most frequently observed attack vectors?
So far, DragonForce and its followers have primarily targeted victims using the following techniques:
- Disfiguration of the website
- Compromising VPN portals with stolen credentials
- Target Web Application Vulnerabilities
- Exploiting recent vulnerability in Atlassian Confluence (CVE-2022-26134)
The group also posted sensitive information about several organizations on its official website.
Who are the targets?
At the time of writing, FortiGuard Threat Research could identify over 100 Indian websites targeted by the group. They seem to primarily target the government, technology, financial services, manufacturing, and education sectors.
What steps should a company take to mitigate its risks?
Hacktivist groups like DragonForce often react to specific events and therefore need to attack their targets quickly to get their message across as quickly as possible. Because of this time constraint, driven by the need to create immediate awareness, they rely on relatively simple but highly visible activities like DDoS attacks and website downgrades. However, we anticipate that other common methods, such as public exploits and stolen credentials, will likely be used by these groups in the near future.
Accordingly, we suggest that organizations consider the following recommendations for mitigating the most common attack vectors to further strengthen their response to acts of hacktivism.
- Perform robust threat hunting based on the compromised account. Check AV/EDR and SIEM logs to identify any malicious activity.
- Once the infected system is identified, isolate it and reimage.
- Change the passwords of compromised users.
- Notify users of the activity and instruct them to change passwords on all other public profiles and enable two-factor authentication where possible.
Organizations should conduct periodic security awareness training, which will help improve the operational security of their employees. Such training should ensure that users:
- are aware of the risks of online fraud.
- are aware that they should never share OTPs.
- understand the techniques used by malicious actors.
- are aware of any suspicious activity on their systems and who they should report it to within the organization.