Government & Private
Update 2: 13 June 2022, 18:30 IST
CloudSEK’s researchers captured a member of the DragonForce forum executing the purported DDOS attack on the BJP official website. The IP address in the image matches the BJP’s server’s IP address (ie.104[.]18[.]130[.]37).
In addition to that, CloudSEK’s Researchers’ identified a threat actor group, circulating contact numbers of Indian Police personnel with WhatsApp chat links, in the Instagram comment section of the DragonForce. Identical content was uncovered on the hacktivist group’s forum as well.
A comprehensive analysis of the threat revealed possible TTPs of the group:
- As mentioned previously, the group utilizes Google dorks to identify targets. This enables them to fetch targets of their own choice, based on the vulnerability they want to target.
- For Instance, the actor group targeted the knowledge and resource sharing website of the Govt. of India ( https//krcnet[.]moes[.]gov[.]in/user/register ). An exact link was shared on the group’s forum for individuals to target. This website allows file types such as png, gif, jpg, etc. to be uploaded. It permits image uploads up to 250 MB, which could have been manipulated by the group, to deface the website.
This website could have been discovered by the actors through google dorks such as:
- “allowed file types: png gif jpg txt site:gov.in”
- “allowed file types: png gif jpg txt site:com”
- “allowed file types: png gif jpg txt site:net.in”
- “allowed file types: png gif jpg txt site:in”
- “allowed file types: png gif jpg txt site:ac.in”
- “allowed file types: png gif jpg txt site:com”
- “allowed file types: png gif jpg txt”
- Domains with .gov.in, .com, .net.in, .in, and .ac.in are primarily being targeted by the attackers.
- The threat actor group is utilizing a tool named SC deface (or Script Deface) to deface the target websites. This tool has pre-built defacing codes that can be inserted into target websites, with designs for a user to download. A user can modify the HTML code and design according to their intention.
Update 1: 13 June 2022, 14:30 IST
The group’s latest post on their website mentions that they will conduct a large-scale DDOS attack at 10:30 PM Malaysian Time (08:30 PM IST) on 2 Indian websites:
- Indian Army Veteran Site, allowing direct IP access to everyone: https//www[.]Indianarmyveteran[.]gov[.]in/, with IP address 164[.]100[.]228[.]84
- BJP’s website: https//www[.]bjp[.]org/home with IP address 104[.]18[.]130[.]37
The actor group specifically mentioned port 443 for the attack. BJP’s website has Cloudflare technology deployed while the Indian Army Veteran site doesn’t have any such measures in place.
Latest update on DragonForce website
A Possible TTP for the Host Net attack could be:
- The attacker exploited and bypassed the Admin SQL and uploaded a reverse shell into the system.
- The actor abused google dork and used ./login with site parameter as “:in” for India.
- The actor bypassed the Admin SQL using an exploit written in PHP language and uploaded three files for reverse shell access into the system. These shell scripts were also written in PHP language.
Information from Social Media
- On 10 June 2022, CloudSEK’s contextual AI digital risk platform XVigil discovered a Tweet posted by a Malaysian hacktivist group going by the name DragonForce, calling for attacks on Indian Government websites by Muslim hackers all around the world.
- The group’s primary objective of the attack, as claimed by them, was to get back at the Indian Government for controversial comments on Prophet Muhammad by some Indian politicians.
- to enable their allies to launch attacks, the group has shared:
- Social media credentials of Indian nationals, especially Facebook accesses
- Purported username and password combos to SBI bank accounts
SBI Bank credentials
- The group has named this operation OpsPatuk, which translates to “strike back”. The group has also shared evidence that they have hacked the following Indian government websites:
Upon further investigation, CloudSEK discovered multiple threat actors joining this operation and hacking various Indian websites. A few of these posts are listed below.
- An OpsPatuk hacker claims to have compromised one of the servers of Host Net India (216[.]48[.]179[.]60), and has shared sample images to substantiate the claims.
- Further research suggests that the initial attack seems to be on web servers compromised using shared hosting exploits. The attackers could have also exploited and bypassed admin SQL or abused Google dork index to upload a reverse shell to the system.
- Another member of the OpsPatuk operation was found discussing a potential cyber attack on the official website of BJP, the Indian ruling party.
- The group behind this cyber call to arms, DragonForce Malaysia, is a pro-Palestinian hacktivist group based in Malaysia.
- This group owns and operates a forum where they post announcements and discuss their latest activities.
- The group also has Instagram and Facebook pages along with multiple Telegram channels. However, most content is replicated across their website and social media handles.
- The group has been conducting regular recruitment and promotion campaigns using Tiktok and Instagram reels.
- CloudSEK discovered a TikTok hashtag #opspatuk, with posts calling for action against the Indian government. These posts have over 2.4 million views, at the time of publishing this report.
The group has shared a list of sites that they are encouraging their supporters and allies to target. Apart from several Indian government websites, this also includes private Indian:
- Logistics and Supply Chain Companies
- Educational institutions
- Technology and Software Companies
- Web Hosting Providers
DragonForce has previously been associated with the following groups, the majority of which appear to be from Malaysia or Pakistan.
- Revolution Pakistan
In response to DragonForce’s clarion call, Team Revolution Pakistan has already hacked Time8, an Assam based digital news channel. During a live news stream, the channel’s transmission was interrupted and replaced by Pakistan’s flag and background hymn praising Prophet Muhammad (PBUH).
It is highly likely that such activities, by the group’s supporters, will gain momentum in the coming days.
So far, DragonForce and its supporters have primarily employed the following server-side and client-side attacks to target victims:
|Server Side Attacks||Client Side attacks|
DragonForce and its supporters have been relying on web shells to maintain their foothold on target organizations’ networks.
Hacktivism, also known as hactivism, is the use of computer-based techniques such as hacking as a form of civil disobedience to promote a political agenda or social change on the Internet. With the growing age of digitization and the paradigm shift brought about by the global pandemic, people all over the world have begun to use this tactic on a large scale. This has been especially prevalent after the recent Russia – Ukraine conflict, which began in February 2022, which saw the emergence of several hacktivists on both sides.
In light of DragonForce’s forceful actions and threats, it is important for Indian firms and the government entities to secure their websites, assets, and endpoints to prevent further escalation of attacks.
CloudSEK will continue to investigate this developing pattern of attacks and provide timely updates to bolster the security of the Indian government and private entities.