India most targeted country by religiously motivated hacktivists
6 min read 08 Aug 2023, 10:20 AM ISTSecurity firms are now using machine learning and artificial intelligence algorithms to analyze the massive amounts of data from multiple sources including network traffic, endpoints, and applications, to tackle this menace.
PremiumSpurred by the belief that India has hurt their religious sentiments, hacktivist groups have been intensifying their online attacks on the country in a bid to get even, according to security firms tracking these groups.
In May, security firm Radware pointed out that hacktivists claimed 480 distributed denial-of-service, or DDoS, attacks targeting Indian websites in just the first three months of this year, making it the most targeted country. On Monday, a new report by CloudSek Information Security corroborated the trend, adding that the hacktivists have been doing so not just in the recent past but for the last two years.
While hacktivists have both political and religious reasons to target countries like Israel, Poland, Australia, and Pakistan, according to CloudSek, they target India primarily for religious reasons. CloudSek tracked the communication channels of these hacktivists from 2021 to 2023 and discovered that countries such as India (30.31%), Israel (14.51%), and Sweden (2.67%) were prime targets of hacktivists based in Pakistan, Bangladesh, Malaysia, and Indonesia.
Attacks on countries including Poland (5.14%), Ukraine (2.91%), Lithuania (2.97%), on the other hand, were primarily spurred by political factors with the attackers coming mainly from Middle Eastern and Russian groups, including Anonymous Sudan and the Russian hacktivist group NoName057, suspected to operate from Sudan and Russia, respectively.
Hacktivism as a trend began with groups launching cyber attacks to support social causes like the campaign called Worm Against Nuclear Killers (WANK) in 1989, and more recently, the farmers' struggle in India, and the Black Lives Matter movement. But these attacks are now also being used as a cover for religious and political ideologies and state-sponsored cyber attacks, blurring the lines between cyber warfare and digital dissent.
While political hacktivists target government institutions, political parties, or perceived oppressive organizations to promote their political agendas or ideologies, the religious ones target individuals, websites, or platforms deemed as a threat to their faith or engage in digital activism to promote their religious cause. Those seeking fame and popularity, typically carry out high-profile cyber attacks that garner media attention, according to security firms.
The Indian farmer’s protest in 2020, for instance, led to the emergence of hacktivist groups like Anonymous India and the Red Rabbit Team. On 10 June, 2022, a hacktivist group that calls itself 'DragonForce Malaysia' launched a series of reactionary cyberattacks christened OpsPatuk, against the government of India and numerous organizations across the country in response to the controversial remarks made by the then Bharatiya Janata Party (BJP) spokesperson Nupur Sharma, condemning Prophet Muhammad.
The group, according to Radware Advisory, is a known pro-Palestinian hacktivist group located in Malaysia and works with several other hacker groups including T3 dimension Team, Reliks Crew, and AnonGhost. This April, the hactivist group returned for the third year in a row with operations targeting Israel with its OpsPetir campaign.
On February 5 this year, a group called Team Insane PK restarted the OpIndia campaign on Kashmir Solidarity Day. This March, a hacktivist group called Mysterious Team Bangladesh launched a campaign named 'Operation Payback', involving multiple rattacks on Indian websites and publicized their actions on social media and internet messaging channels. They were responding to Indian hacktivists targeting websites in Pakistan, Bangladesh, Indonesia and Malaysia, according to Radware. Another campaign called OpIndia2.0 was initiated by Indonesian hacktivist groups VulzSec and Hacktivist of Garuda on 20 April.
India, too, has sympathiser hacktivist groups. For instance, a group that calls itself the 'Indian Cyber Mafia’ allegedly launched online attacks on Indonesian universities this April, as a "payback" for the attacks by Indonesian groups on Indian entities. Other Indian-sympathizing hacktivists include Anonymous India, Mariana’s Web, Team UCC Operation, Indian Cyber Mafia, Indian Cyber Force, Team 1-4-1 and Kerala Cyber Xtractors, according to Radware.
Meanwhile, incidents of hacktivism have only increased in the Middle Eastern and Asian region followed by Europe, following the Russia-Ukraine war. According to Radware, over 1,800 DDoS attacks were claimed by political and religious hacktivists across 80 Telegram channels between 18 February and 18 April. NoName057(16) claimed almost 30% of the attacks, followed by Anonymous Sudan (18%) and Mysterious Team (13%).
NoName057(16) is by far the most active DDoS hacktivist among the politically driven, pro-Russian hacktivists. Anonymous Sudan, Mysterious Team, and Team Insane PK are responsible for most of the religiously-motivated DDoS activity and ranked second, third, and fourth respectively among hacktivists claiming the most attacks, notes Radware. Passion, the pro-Russian, turned for-profit criminal hacktivist group that provides DDoS-for-hire services, targets large US-based tech companies.
According to Panda Security, hacktivists use many techniques including Doxing, which exposes personal and identifiable information about a specific person or group to the public; Anonymous blogging; DoS and DDoS attacks; Informational leaks that use insider sources to publicise incriminating information; Geo-bombing that exposes hidden locations of an image; Website mirroring that replicates a real website with a slightly different URL (internet address) to evade censorship laws; and Code Changing of a website to personalize website content and deface the site’s appearance to fit the message of their own agendas.
In these two years, hacktivists mostly targeted the government sector, followed by non-profit organisations, education, automobile, finance and banking, and energy, oil and gas sectors. The automobile and educational sectors, for instance, faced defacement, DDoS attacks, and occasional instances of alleged data leaks through the exploitation of openly available data using Google Dorking (also known as Google hacking, it's a method that can help users locate difficult to find information with the help of simple search queries by providing a search string that uses advanced search operators) techniques. The hacktivists also launched DDoS attacks on internet banking services, and the energy sector.
According to Radware, the attacks are becoming more sophisticated with new types of HTTPS (Hypertext Transfer Protocol Secure, used for safer communication) Flood attacks that are also referred to as Web DDoS Tsunami attacks. These attacks originated when Russia invaded Ukraine last February. These typically are encrypted, high-volume bot attacks from multiple entry points that can evade standard web application firewalls (WAF) and network-based DDoS tools, rendering them ineffective.
Security firms are now using machine learning and artificial intelligence (AI) algorithms to analyze the massive amounts of data from multiple sources including network traffic, endpoints, and applications, to tackle this menace. But these very tools are being used by top hacktivist groups including Anonymous or Anon--a hacktivist group formed in 2008 that rose to prominence following their attacks on the Church of Scientology; LulzSec, founded in 2011 by some Anon members; Masters of Deception (MOD), established to mock Legion of Doom (LOD) in the 1990s; and Chaos Computer Club, founded in 1989, and one that focuses mainly on Germany’s information systems.
Given the nature of the sophisticated attacks, Radware, among other things, advises organizations to implement Layer 7 (L7), behavioral-based security solutions that can adapt in real time with the help of AI algorithms, and thus block bot attacks without blocking legitimate human traffic.
CloudSek recommends that organizations should implement a range of security measures including regular security assessments, incident response planning, employee training, network segmentation, threat intelligence, and disaster recovery protocols, to defend against hacktivist attacks.
Of course, these tasks are easier said than done, which explains why chief information officers (CIOs) and chief information security officers (CISOs) have their work cut out.
