The Malaysian hacktivist group known as DragonForce began targeting India in retaliation for comments made by BJP spokesperson Nupur Sharma (now suspended) about the Prophet Muhammad that incensed Indian Muslims and outraged more than a dozen Islamic nations which led to the beginning of ‘OpsPatuk’ aka Operation Patuk led by the Malaysian hacktivist group.
At the time of writing, this operation has compromised over 102 websites and continues to list new targets on various social media platforms, including Telegram, Twitter, and their own DragonForce website.
Widely targeted sectors include financial organizations, government entities, and educational institutions. Hosting providers were one of their main targets, enabling attackers to compromise their customers’ websites. Additionally, the threat group has also encouraged other hackers to join the operation, according to the FortiGuard Threat Research Team.
Hacktivism uses computer-based civil disobedience strategies such as hacking to advocate a political agenda or social change on the Internet.
While the roots of hacktivism can be traced back to the 1990s, people worldwide have recently begun to adopt this strategy on a vast scale, thanks to the expanding age of digitization and the paradigm shift brought about by the worldwide pandemic.
Common attack vectors observed
So far, DragonForce and its supporters have predominantly targeted victims using DDoS, Website defacement, Compromising VPN portals with stolen credentials, Targeting web application vulnerabilities, and Exploiting the recent Atlassian Confluence vulnerability (CVE-2022-26134)
The group has also publicly released sensitive information about several organisations on its official website.
FortiGuard Threat Research could identify over 100+ Indian websites targeted by the group. They seem to be primarily targeting the government, technology, financial services, manufacturing, and education sectors.
Steps enterprises take to mitigate their risk
Hacktivist groups like DragonForce often respond to specific events and therefore need to be expeditious in attacking their targets to get their message across as quickly as possible.
Due to this time constraint, driven by the need to create immediate awareness, they rely on relatively simple but highly visible activities like DDoS attacks and website defacements. However, there are other common methods such as public exploits and stolen credentials, which will likely be utilised by these groups in the near future.
As a result, organisations should review the following recommendations for mitigating the most common attack vectors to further strengthen their response to acts of hacktivism.
Carry out robust threat hunting based on the compromised account. Check AV/EDR and SIEM logs to identify any malicious activities. Once the infected system is identified, isolate the system and perform reimaging.
Change the passwords of compromised users and notify users about the activity and inform them to change the passwords on all other public profiles and enable two-factor authentication wherever possible.
Organisations should also conduct periodic security awareness training, which will help to improve the operational security of their employees.
Such training should ensure that users are aware of the risks of online fraud, they should never share OTPs, understand the techniques used by malicious actors and are conscious of any suspicious activity on their systems, and understand who they should report this to the organisation.
