FortiGuard Labs Threat Research
The 'OpsPatuk' operation began on June 6, 2022. That’s when the Malaysian hacktivist group known as DragonForce began targeting India in retaliation for controversial comments made by a BJP spokesperson.
At the time of writing, this operation has compromised over 102 websites and continues to list new targets on various social media platforms, including Telegram, Twitter, and their own DragonForce website.
Widely targeted sectors include financial organizations, government entities, and educational institutions. FortiGuard Threat Research Team has also observed hosting providers being one of their main targets, enabling attackers to compromise their customers' websites. Additionally, the threat group has also encouraged other hackers to join the operation.
Hacktivism uses computer-based civil disobedience strategies such as hacking to advocate a political agenda or social change on the Internet. While the roots of hacktivism can be traced back to the 1990s, people worldwide have recently begun to adopt this strategy on a vast scale, thanks to the expanding age of digitization and the paradigm shift brought about by the worldwide pandemic.
Our team is proactively monitoring the OpsPatuk event and will release timely updates as events develop. In addition, the following advisory contains details about the operation and steps that can be taken to mitigate risks.
#OpsPatuk, aka Operation Patuk, is an ongoing operation led by a Malaysia-based hacktivist group dubbed 'DragonForce.' June 6, 2022, witnessed one of the first activities by the group that framed cyberattacks as retribution for controversial remarks made by a BJP spokesperson (now suspended). BJP (Bharatiya Janata Party) is one of India's two major political parties.
So far, DragonForce and its supporters have predominantly targeted victims using the following techniques:
The group has also publicly released sensitive information about several organizations on its official website.
At the time of writing, FortiGuard Threat Research could identify over 100+ Indian websites targeted by the group. They seem to be primarily targeting the government, technology, financial services, manufacturing, and education sectors.
Hacktivist groups like DragonForce often respond to specific events and therefore need to be expeditious in attacking their targets to get their message across as quickly as possible. Due to this time constraint, driven by the need to create immediate awareness, they rely on relatively simple but highly visible activities like DDoS attacks and website defacements. However, we expect other common methods, such as public exploits and stolen credentials, will likely be utilized by these groups in the near future.
As a result, we propose that organization(s) review the following recommendations for mitigating the most common attack vectors to further strengthen their response to acts of hacktivism.
As multiple techniques are being used in this operation to make the quickest and most high-profile impact, the list of Fortinet protections covers many areas. Customers should assess the risk to their organization and implement appropriate security controls where needed. Here is a selection of ways Fortinet can help.
Organizations should monitor for spikes in incoming network traffic and scale accordingly to mitigate downtime caused by such increases in traffic.
Organizations should implement a risk-based vulnerability management process for their IT infrastructure to ensure that critical vulnerabilities and security misconfigurations are identified and prioritized for remediation.
To prevent credential stuffing attacks caused by the inevitability of users re-using passwords across multiple sites, organizations must enforce Multi Factor Authentication (MFA) for all logins.
FortiGuard Incident Response Services deliver critical services before/during/after a security incident. Our experts arm your team with fast detection, investigation, containment, and return to safe operation.
These threat actors are using multiple techniques to achieve their goals. The known exploits being used include the following recently publicized exploits. However, organizations are cautioned that this list is expected to grow.
Atlassian Confluence vulnerability CVE-2022-26134 (Outbreak Alert)
Java/Websh.D!tr
HTML/Agent.D71B!trW32/Filecoder.1104!tr.ransom
ELF/BitCoinMiner.HF!tr
ELF/Mirai.A!tr
Linux/Agent.PZ!tr
Linux/CVE_2021_4034.G!tr
Riskware/CoinMiner
Adware/Miner
MSDT Follina CVE-2022-30190 (Outbreak Alert)
WSO2 vulnerability (CVE-2022-29464)
W64/Agent.CY!tr
ELF/Agent.AR!tr
ELF/BitCoinMiner.HF!tr
Java/Agent.AUJ!tr
Java/Webshell.E!tr
Java/Webshell.0CC4!tr
Riskware/Generic.H2
Malicious_Behavior.SB
Learn more about Fortinet’s FortiGuard Labs threat research and intelligence organization and the FortiGuard Security Subscriptions and Services portfolio.