Fortinet Threat Alert on an Ongoing Hacktivist Operation #Opspatuk Conducted by The Malaysian Hacktivist Threat Group ‘DragonForce’ Against Indian Organizations
The ‘OpsPatuk’ operation began on June 6, 2022. That’s when the Malaysian hacktivist group known as DragonForce began targeting India in retaliation for comments made by BJP spokesperson Nupur Sharma (now suspended) about the Prophet Muhammad that incensed Indian Muslims and outraged more than a dozen Islamic nations.
At the time of writing, this operation has compromised over 102 websites and continues to list new targets on various social media platforms, including Telegram, Twitter, and their own DragonForce website.
Widely targeted sectors include financial organizations, government entities, and educational institutions. FortiGuard Threat Research Team has also observed hosting providers being one of their main targets, enabling attackers to compromise their customers’ websites. Additionally, the threat group has also encouraged other hackers to join the operation.
Hacktivism uses computer-based civil disobedience strategies such as hacking to advocate a political agenda or social change on the Internet. While the roots of hacktivism can be traced back to the 1990s, people worldwide have recently begun to adopt this strategy on a vast scale, thanks to the expanding age of digitization and the paradigm shift brought about by the worldwide pandemic.
Our team is proactively monitoring the OpsPatuk event and will release timely updates as events develop. Organization(s) could subscribe to the #OpsPatuk tag on FortiRecon to stay updated.
The following advisory contains details about the operation and steps that can be taken to mitigate risks.
What is #OpsPatuk?
#OpsPatuk, aka Operation Patuk, is an ongoing operation led by a Malaysia-based hacktivist group dubbed ‘DragonForce.’ June 6, 2022, witnessed one of the first activities by the group that framed cyberattacks as payback for anti-Muslim remarks made by BJP spokesperson Nupur Sharma (now suspended) about the Prophet Muhammad and his third wife, Ayesha. BJP (Bharatiya Janata Party) is one of India’s major political parties.
What are the most common attack vectors observed?
So far, DragonForce and its supporters have predominantly targeted victims using the following techniques:
- Website defacement
- Compromising VPN portals with stolen credentials
- Targeting web application vulnerabilities
- Exploiting the recent Atlassian Confluence vulnerability (CVE-2022-26134)
The group has also publicly released sensitive information about several organizations on its official website.
Who are the targets?
At the time of writing, FortiGuard Threat Research could identify over 100+ Indian websites targeted by the group. They seem to be primarily targeting the government, technology, financial services, manufacturing, and education sectors.
What steps should an enterprise take to mitigate its risk?
Hacktivist groups like DragonForce often respond to specific events and therefore need to be expeditious in attacking their targets to get their message across as quickly as possible. Due to this time constraint, driven by the need to create immediate awareness, they rely on relatively simple but highly visible activities like DDoS attacks and website defacements. However, we expect other common methods, such as public exploits and stolen credentials, will likely be utilized by these groups in the near future.
As a result, we propose that organization(s) review the following recommendations for mitigating the most common attack vectors to further strengthen their response to acts of hacktivism.
- Carry out robust threat hunting based on the compromised account. Check AV/EDR and SIEM logs to identify any malicious activities.
- Once the infected system is identified, isolate the system and perform reimaging.
- Change the passwords of compromised users.
- Notify users about the activity and inform them to change the passwords on all other public profiles and enable two-factor authentication wherever possible.
Organizations should conduct periodic security awareness training, which will help to improve the operational security of their employees. Such training should ensure that users:
- are aware of the risks of online fraud
- are aware they should never share OTPs
- understand the techniques used by malicious actors
- are conscious of any suspicious activity on their systems and understand who they should report this to within the organization
The FortiPhish Phishing Simulation Service uses real-world simulations to help organizations test user awareness and vigilance to phishing threats and to train and reinforce proper practices when users encounter targeted phishing attacks.
We also suggest that organizations have their end users undergo our free NSE training: NSE 1 – Information Security Awareness. It includes a module on Internet threats designed to help end-users learn how to identify and protect themselves from various types of phishing attacks.
Attack remediation and incident response
FortiGuard Incident Response Services deliver critical services before/during/after a security incident. Our experts arm your team with fast detection, investigation, containment, and return to safe operation.