Malaysian Hacktivist Group frames cyberattacks as payback for remarks made by ex-BJP spokesperson Nupur Sharma about the Prophet Muhammad
Malaysian hacktivist group known as DragonForce began targeting India in retaliation for comments made by BJP spokesperson Nupur Sharma (now suspended) about the Prophet Muhammad that incensed Indian Muslims and outraged more than a dozen Islamic nations. The ‘OpsPatuk’ operation began on June 6, 2022. At the time of writing, this operation has compromised over 102 websites and continues to list new targets on various social media platforms, including Telegram, Twitter, and their own DragonForce website, says a Fortinet Threat Alert.
Widely targeted sectors include financial organizations, government entities, and educational institutions. FortiGuard Threat Research Team has also observed hosting providers being one of their main targets, enabling attackers to compromise their customers’ websites. Additionally, the threat group has also encouraged other hackers to join the operation.
Hacktivism uses computer-based civil disobedience strategies such as hacking to advocate a political agenda or social change on the Internet. While the roots of hacktivism can be traced back to the 1990s, people worldwide have recently begun to adopt this strategy on a vast scale, thanks to the expanding age of digitization and the paradigm shift brought about by the worldwide pandemic.
The following advisory contains details about the operation and steps that can be taken to mitigate risks.
What is #OpsPatuk?
#OpsPatuk, aka Operation Patuk, is an ongoing operation led by a Malaysia-based hacktivist group dubbed ‘DragonForce.’ 6 June 2022, witnessed one of the first activities by the group that framed cyberattacks as payback for anti-Muslim remarks made by BJP spokesperson Nupur Sharma (now suspended) about the Prophet Muhammad and his third wife, Ayesha. BJP (Bharatiya Janata Party) is one of India’s major political parties.
What are the most common attack vectors observed?
So far, DragonForce and its supporters have predominantly targeted victims using the following techniques:
- Website defacement
- Compromising VPN portals with stolen credentials
- Targeting web application vulnerabilities
- Exploiting the recent Atlassian Confluence vulnerability (CVE-2022-26134)
The group has also publicly released sensitive information about several organizations on its official website.
Who are the targets?
At the time of writing, FortiGuard Threat Research could identify over 100+ Indian websites targeted by the group. They seem to be primarily targeting the government, technology, financial services, manufacturing, and education sectors.
What steps should an enterprise take to mitigate its risk?
Hacktivist groups like DragonForce often respond to specific events and therefore need to be expeditious in attacking their targets to get their message across as quickly as possible. Due to this time constraint, driven by the need to create immediate awareness, they rely on relatively simple but highly visible activities like DDoS attacks and website defacements. However, we expect other common methods, such as public exploits and stolen credentials, will likely be utilized by these groups in the near future.
As a result, we propose that organization(s) review the following recommendations for mitigating the most common attack vectors to further strengthen their response to acts of hacktivism.
- Carry out robust threat hunting based on the compromised account. Check AV/EDR and SIEM logs to identify any malicious activities.
- Once the infected system is identified, isolate the system and perform reimaging.
- Change the passwords of compromised users.
- Notify users about the activity and inform them to change the passwords on all other public profiles and enable two-factor authentication wherever possible.
Organizations should conduct periodic security awareness training, which will help to improve the operational security of their employees. Such training should ensure that users:
- are aware of the risks of online fraud.
- are aware they should never share OTPs.
- understand the techniques used by malicious actors.
- are conscious of any suspicious activity on their systems and understand who they should report this to within the organization.