By Nikhil Karan Taneja, Vice President and Managing Director for India – The Middle East and South Asia, Radware
Hacktivism reached new heights in 2023. It was a year where new hacktivists appeared on the threat scene and became more visible through Telegram, a popular social media platform leveraged by many threat actors.
India was certainly not immune to this hacktivist activity. In fact, according to Radware’s recent Global Threat Intelligence Analysis, India was the second most targeted country for hacktivist activity in the world in 2023 with 1242 claimed attacks—second only to Israel with 1480 claimed attacks. By learning more about these regional hacktivist trends, evolving attack tactics, and cyber targets, and the bad actors shaping them, organizations can make more informed decisions about their security defenses and respond faster to current threats.
Hacktivist tactics and targets
Hacktivism is a complex phenomenon that can be motivated by various factors, including religious and political beliefs. While hacktivists may have different motivations and methods, they all share a desire to use technology to advance their cause and to challenge those they believe are acting against it.
Hacktivists use a variety of tactics to achieve their goals, and the specific tactics they use depend on their motivations and the resources they have at their disposal. Their methods are constantly evolving as new technologies and platforms emerge. While some tactics may be illegal or unethical, hacktivists argue that they use their skills to promote social or political change and hold powerful organizations and governments accountable for their actions.
Some common tactics used by hacktivists:
- Data breaches: Hacktivists may gain unauthorized access to an organization’s computer systems and steal sensitive information, such as personal data or confidential documents. They may then release this information publicly or use it to further their political or religious goals. Over the last few months, hacktivists have claimed a large number of data breaches and credential compromises. While many are most likely fake breaches leveraging old and previously stolen documents from prior data leaks, this remains hard to prove. The sheer volume of claimed breaches makes it impossible to assess the success of the hacktivists.
- Website defacements: Hacktivists may hack into a website and replace its content with their own messages or images. This tactic is often used to express dissent or to raise awareness of a particular issue. Some hacktivists, for example, claimed a good number of defacements in recent attacks against Israeli business and government websites during #OpIsrael and #OpsPetir.
- Denial-of-service attacks: These attacks involve overwhelming a website or online service with traffic, making it unavailable to users. Hacktivist groups use DDoS attacks to disrupt the websites of organizations and governments they oppose. Since the start of the conflict in Ukraine, DDoS attacks have been performed on both sides of the conflict with Ukrainian hackers targeting Russian organizations and pro-Russian hackers targeting any government or organization that might demonstrate support for Ukraine.
DDoS attacks are not only surging in volume and frequency but are also getting more sophisticated. According to Radware’s threat intelligence report, the number of attacks in the first quarter of 2024 in India alone rose 121%, compared to the fourth quarter of 2023. Some of the latest threat intelligence also shows a global shift in DDoS tactics as attacks progress from Layers 3 and 4 to Layer 7. Layer 7 attacks target not just online applications and their APIs, but also essential infrastructure, such as the Domain Name System.
In India, the top targeted website category during the first quarter of 2024 was government with 45 claimed attacks. Education and financial services ranked second and third with 35 and 16 attacks respectively. These high-value targets attract malicious actors because of publicity they generate when targeted, and the tactical advantage they serve in hybrid warfare
- Media campaigns: Hacktivists use social platforms like Telegram, Twitter, and Facebook to spread their message and raise awareness for their cause. They create viral campaigns or use hashtags to amplify their message and reach a wider audience. DragonForce Malaysia has proven to be highly effective in their communications and moved part of their private forum to a public Telegram channel to increase their visibility.
Most active attacker groups
Hacktivist campaigns targeting India have been on the rise due to negative sentiments spread through social media campaigns like “Islamophobia_in_India” and “SaveIndianMuslims.” These campaigns often involve the sharing of fake content by people in India and abroad who have strong ideological biases. This fake content provokes hacktivist groups to misunderstand the actual social and political situation in India and take action.
So, who were the bad actors with their sights set on India? Between January and March of 2024, India was the target of multiple cyber gangs. Ketapang Grey Gat Team and Sylhet Gang were among the most active hacktivist groups targeting India, ranking first and second respectively.
Ranking third was Channel DDoS-V2, a DDoS-as-a-Service provider also known as booter or stresser service. Channel DDoS-V2 sells subscriptions to their DDoS attack infrastructure and allows anyone that pays a subscription to perform attacks on any target. In some cases, the allowed attack activity can be restricted from targeting certain countries. For example, Russian-based stresser services do not allow attacks against Russian targets. Stressers like Channel DDoS-V2 regularly target high profile organizations as a form of advertisement and proof of their capabilities.
The technological race between good and bad actors has never been more intense and shows no signs of abating in the future. Going forward, look for hacktivists to become even more proficient and more emboldened with advancements like Generative AI at their fingertips. In addition, look for attack numbers to continue to climb and attack patterns to further evolve. One constant you can count on is the commitment among the hacktivist collectives to use cyber attacks to not only advance their political and religious agendas, but also capitalize on the publicity.