Search This Blog
Powered by Blogger.

Blog Archive

Labels

About Me

Load More
Trendy Right Now

Popular Posts

Showing posts with label DDoS. Show all posts
phishing
ceasefire Cyber Attacks Cybersecurity DDoS disinformation Hacking India Infrastructure Pakistan phishing

Cyber Warfare After Pahalgam: Over 1.5 Million Cyberattacks Target Indian Infrastructure

 

Following the Pahalgam terror incident, India experienced a massive wave of cyberattacks launched by hostile hacker groups operating from Pakistan, Bangladesh, Indonesia, and parts of the Middle East. As per a detailed investigation by the Maharashtra Cyber Cell, over 1.5 million cyber intrusions targeted Indian websites and digital systems in a deliberate, coordinated assault meant to disrupt national infrastructure and spread psychological unrest.

According to a government report titled “Road of Sindoor,” the cyber onslaught was a retaliatory move against India’s military operation conducted under the same name. The attacks aimed at government portals, municipal databases, aviation systems, and other vital infrastructure.

Despite the scale of the offensive, only 150 of the attacks showed limited success, marking a mere 0.01% success rate. This reflects India’s growing cyber resilience and the relatively low effectiveness of these foreign cyber operatives.

7 Pakistani-Backed Hacker Groups Identified

The Maharashtra Cyber Cell report identified seven key hacker groups orchestrating the campaign:
  • APT 36
  • Pakistan Cyber Force
  • Team Insane PK
  • Mysterious Bangladesh
  • Indo Hacks Sec
  • Cyber Group HOAX 1337
  • National Cyber Crew (Pakistan-allied)
These collectives employed tactics such as DDoS attacks, malware deployment, GPS spoofing, and website defacements. One of the more visible intrusions was the defacement of the Kulgaon Badlapur Municipal Council website. Additionally, several unverified claims circulated online, alleging cyber breaches of the Mumbai airport systems and telecom infrastructures.

More concerning was the coordinated use of disinformation, which sought to falsely portray that India's banking sector, power grid, and satellite systems had been compromised. The report revealed that over 5,000 fake social media posts linked to the India-Pakistan conflict were detected and removed.

Ceasefire Didn’t Halt Cyber Assaults

Even as a ceasefire agreement remained in place between India and Pakistan, cyber offensives continued, especially from Bangladesh, Indonesia, and allied Middle Eastern entities. While officials observed a decline in attack frequency post-ceasefire, they confirmed that the attacks never fully stopped.

Authorities stated, “These campaigns weren’t amateur attempts. They were designed to destabilize. Though thwarted, they signal a persistent digital threat landscape India must be prepared for.”

State and national intelligence units are now working in tandem to bolster surveillance, reinforce cybersecurity protocols, and pre-empt future threats.

The “Road of Sindoor” report has been formally shared with the Director General of Police, the State Intelligence Department, and other key law enforcement bodies, affirming India’s strategic focus on digital sovereignty and cybersecurity preparedness.
Read more »
Public Sector
Critical Infrastructure Cyber Attacks Cyber Warfare DDoS Hacker attack Hackers Indian Cyber Security Malware Attack Military Data Public Sector

India Faces Cyber Onslaught After Operation Sindoor Military Strikes

 

In the aftermath of India’s military action under Operation Sindoor, Pakistan responded not only with conventional threats but also with a wave of coordinated cyberattacks. While India’s defense systems effectively intercepted aerial threats like drones and missiles, a simultaneous digital assault unfolded, targeting the nation’s critical infrastructure and strategic systems. 

Reports from The Times of India indicate that the cyberattacks were focused on key defense public sector units (PSUs), their supporting MSMEs, and essential infrastructure including airports, ports, the Indian Railways, power grids, and major telecom providers such as BSNL. Additionally, digital financial platforms—ranging from UPI services to stock exchanges and mobile wallets—were also in the crosshairs. 

Sources suggest these cyber intrusions aimed to steal classified military data, disrupt daily life, and damage India’s global standing. Allegedly, the attackers sought intelligence on missile defense systems and military readiness. In retaliation, India reportedly struck back at Pakistani military infrastructure, although the cyber battlefield remains active. 

Cybersecurity expert and Interpol trainer Pendyala Krishna Shastry confirmed the attacks involved a range of methods: malware deployment, denial-of-service (DoS) strikes, phishing schemes, and website defacements. These tactics targeted multiple sectors, including finance, telecom, and public services, aiming to breach systems and sow confusion. 

Website tracking portal Zone-H recorded several government domain breaches. Notable targets included the websites of the National Institute of Water Sports (niws.nic.in) and nationaltrust.nic.in, both of which were defaced before being restored. The Central Coalfields Ltd (CCL) website also experienced a breach, displaying a message from a group calling itself “Mr Habib 404 – Pakistani Cyber Force,” declaring, “You thought you were safe, but we are here.” 

Although CCL’s Public Relations Officer Alok Gupta dismissed the breach as a technical issue with no data loss, cybersecurity experts warn that downplaying such incidents could weaken national digital defense. 

This escalation underscores how cyber warfare is now being integrated into broader military strategies. Experts argue that India must urgently strengthen its cyber defenses to address the growing threat. Priorities include deploying AI-based threat detection, reinforcing CERT-In and sector-specific Security Operation Centres (SOCs), enforcing strong cybersecurity practices across public systems, and expanding collaboration on global cyber intelligence. 

As state-sponsored attacks become more sophisticated and frequent, India’s ability to defend its digital frontier will be just as crucial as its military strength.
Read more »
Pakistan
Cyberattack Cybersecurity Cyberwarfare Data Breach DDoS defacement Hacktivists India Pakistan

Cyber War Escalates Between Indian and Pakistani Hacktivists After Pahalgam Attack

 

kAs tensions continue to rise in the wake of the Pahalgam terror attack and India's subsequent launch of Operation Sindoor, a fierce cyber confrontation has simultaneously unfolded in the digital realm. Hacktivist groups aligned with both India and Pakistan have been engaged in a sustained virtual clash.

A cyber threat intelligence assessment by Kochi-based cybersecurity firm Technisanct highlights how pro-Pakistan and Bangladeshi hacktivist groups have launched a wave of cyberattacks on Indian institutions. While not all incidents were listed in the public report, Technisanct noted key Indian targets including BSNL, the Income Tax Department, Hindustan Aeronautics Ltd, various state government websites, and Indian Railways. In retaliation, pro-India hacktivists focused their attacks on Pakistani establishments such as the Pakistan Air Force, Punjab Emergency Service Department, the Bank of Punjab, Ministry of Finance, and Jinnah International Airport.

The report identifies more than 200 cyber incidents between April 22—the day of the Pahalgam attack—and May 8, just after Operation Sindoor was launched. This data, compiled using threat intelligence sources like falconfeeds.io, Technisanct’s monitoring tools, public disclosures, and threat actor communications across Telegram and X, signals the heightened scale of this cyber offensive.

Among the reported incidents, 111 were DDoS (Distributed Denial of Service) attacks, which aim to overwhelm target servers and disrupt online services. DDoS attacks made up 55.5% of the total. Other forms of attacks included website defacements (35.5%), general cyber alerts (11%), data breaches (7.5%), unauthorized access attempts (2%), and data leaks (1.5%). For context, there were only 147 DDoS attacks in India between February and April, while 112 DDoS cases were recorded from May 1 to 9 alone.

Government and public sector entities bore the brunt of the offensive, accounting for 52% of incidents (104 cases). Educational institutions followed with 43 attacks (21.5%), and technology or IT service firms recorded 13 attacks (6.5%). The focus on essential public sectors and IT infrastructure signals a calculated effort to disrupt public services and potentially compromise broader networks.

"The targeting of technology & IT services organisations could indicate an attempt to leverage these entities for further attacks or to compromise supply chains," the report noted.

Technisanct identified 36 pro-Pakistan hacktivist groups responsible for the digital assaults, with 14 Indian groups retaliating. Leading the offensive from the Pakistani side were:
  • Nation of Saviors (34 incidents)
  • Keymous+ (26)
  • Electronic Army Special Forces (25)
  • KAL EGY 319 (16)
  • GARUDA ERROR SYSTEM (15)
  • AnonSec (14)
  • Sylhet Gang-SG (13)
  • Mr Hamza (11)
  • Dark Cyber Gang (9)
  • INDOHAXSEC (8)
"These groups have aggressively pursued ideologically motivated cyber operations targeting Indian government domains, military assets, and financial platforms. Their tactics largely revolve around DDoS attacks, defacement campaigns, and selective data leaks, often coordinated through Telegram, X and other encrypted channels. The prominence of these actors underscores an organised and sustained campaign against Indian interests in cyberspace, leveraging real-world conflicts to justify digital aggression," the report states.

Technisanct CEO Nandakishore Harikumar told Onmanorama,

"The physical war is highly proportional to digital war. When a single missile is launched in the physical space, thousands of missiles can be launched in the cyber space. The intention is to hit services directly. I believe that, gradually, maybe in the next 50 years, 50 per cent of the war will be fought in the digital space. Even the flood of fake news and misinformation we see is kind of a warfare. We started seeing a huge pattern of this during the Ukraine-Russian crisis, followed by the Israel-Palestine clash."

The report concluded that the cyber activities post-Pahalgam represent a major and evolving national threat.

“The high volume of incidents, the increasing number of participating threat actors, the focus on critical sectors, and the escalating daily activity underscore the urgent need for a robust and comprehensive national cybersecurity strategy that explicitly addresses both cyberattacks and related disinformation, while also considering the dynamics of cyber conflict escalation.”
Read more »
Russia-Ukraine War
Cyber Attacks DDoS DDOS Attacks DDoS Threats Hacker attack Hacktivist group NCSC Pro-Russian Hackers Russia-Ukraine War

Russian Hacktivists Disrupt Dutch Institutions with DDoS Attacks

 

Several Dutch public and private organizations have experienced significant service outages this week following a wave of distributed denial-of-service (DDoS) attacks linked to pro-Russian hacktivists. The Netherlands’ National Cyber Security Center (NCSC), part of the Ministry of Justice, confirmed that the attacks affected multiple sectors and regions across the country.  

The NCSC disclosed that both government and private entities were targeted in what it described as large-scale cyber disruptions. While the full scope is still being assessed, municipalities and provinces including Groningen, Noord-Holland, Drenthe, Overijssel, Zeeland, Noord-Brabant, and cities like Nijmegen, Apeldoorn, Breda, and Tilburg reported that public portals were intermittently inaccessible. 

A pro-Russian threat group calling itself NoName057(16) has claimed responsibility for the cyberattacks through its Telegram channel. Though the NCSC did not confirm the motive, the group posted that the attacks were a response to the Netherlands’ recent €6 billion military aid commitment to Ukraine, as well as future support amounting to €3.5 billion expected in 2026. Despite the widespread disruptions, authorities have stated that no internal systems or sensitive data were compromised. 

The issue appears confined to access-related outages caused by overwhelming traffic directed at the affected servers — a hallmark of DDoS tactics. NoName057(16) has been a known actor in the European cybersecurity landscape since early 2022. It has targeted various Western governments and institutions, often in retaliation for political or military actions perceived as anti-Russian. The group also operates DDoSIA, a decentralized platform where users can participate in attacks in exchange for cryptocurrency payments. 

This model has enabled them to recruit thousands of volunteers and sustain persistent campaigns against European targets. While law enforcement in Spain arrested three alleged DDoSIA participants last year and confiscated their devices, key figures behind the platform remain unidentified and at large. The lack of major indictments has allowed the group to continue its operations relatively unimpeded. 

The NCSC has urged organizations to remain vigilant and maintain strong cybersecurity protocols to withstand potential follow-up attacks. With geopolitical tensions remaining high, experts warn that such politically motivated cyber operations are likely to increase in frequency and sophistication. 

As of now, restoration efforts are ongoing, and the government continues to monitor the digital landscape for further signs of coordinated threats.
Read more »
Terrorism
Banking CERT-In Cybe Security Cyberattack DDoS defacement Digital Finance India Infrastructure Misinformation Pahalgam SocialMedia surveillance Terrorism

India Strengthens Cybersecurity Measures Amid Rising Threats Post-Pahalgam Attack

 

In response to a surge in cyberattacks targeting Indian digital infrastructure following the Pahalgam terror incident, the Indian government has directed financial institutions and critical infrastructure sectors to enhance their cybersecurity protocols. These instructions were issued by the Computer Emergency Response Team (CERT-In), according to a source familiar with the development, Moneycontrol reported.

The precautionary push isn’t limited to government networks — private sector entities are also actively reinforcing their systems against potential cyber threats. “We have been extra alert right from the Pahalgam attack, in terms of ensuring cyber security speedily not just by government agencies but also by the private sector,” the source stated.

CERT-In, India’s central agency for cyber defense, has released advisories to banking institutions and other essential sectors, urging them to tighten their digital safeguards. In addition, the government has engaged with organizations like NASSCOM to facilitate a collaborative cyber alert framework.

Recent attacks primarily involved DDoS, or distributed denial-of-service incidents, which overwhelm servers with excessive traffic, rendering websites inaccessible and potentially causing financial damage. Attempts to deface websites — typically for political messaging — were also reported.

This intensified focus on digital defense follows India’s military action against terrorist hideouts in Pakistan, occurring nearly two weeks after the Pahalgam incident, which resulted in the deaths of Indian tourists in Kashmir.

Moneycontrol previously highlighted that cyber surveillance across India's vital digital infrastructure is being ramped up following the Pahalgam attack and the subsequent Operation Sindoor. Critical sectors and strategic installations are under strict scrutiny to ensure adherence to robust cybersecurity practices.

Amid these developments, misinformation remains a parallel concern. Daily takedown requests under Section 69A of the IT Act have surpassed 1,000, as the government works with social media platforms to curb the spread of fake news, the source noted.
Read more »
zero Day vulnerability
Cyber intrusion Cyber Security CyberThreat DDoS FortiGate IoT IP Address Networkk Infrastructure ransomware-as-a-service (RaaS) VPN Vulnerabilities Firewalls zero Day vulnerability

Firewalls and VPNs Under Siege as Businesses Report Growing Cyber Intrusions

 


A security researcher has discovered an ongoing cyberattack that is active, exploiting a newly discovered vulnerability in Fortinet's FortiGate Firewalls to infiltrate corporate and enterprise networks and has been conducting this activity for some time. A security advisory published on Tuesday by Fortinet confirmed the existence of the critical security flaw known as CVE-2024-55591 and indicated that the vulnerability is currently being exploited in the wild. 

Nevertheless, cybersecurity experts are voicing their concerns over the possibility that malicious actors are exploiting this flaw as a zero-day vulnerability - a term that refers to a software vulnerability exploited before the vendor is made aware of or has issued a patch for it. According to a report by Fortinet, attackers may have actively targeted this vulnerability since at least December, many months before it was publicly disclosed and patched. 

In particular, organisations that heavily rely on FortiGate Firewalls for perimeter defence face a significant threat when the vulnerability is exploited by exploiting CVE-2024-55591. As a result of the vulnerability's criticality, enterprises should apply security updates as soon as possible and examine their systems for any indications of unauthorized access as soon as possible. Even though zero-day exploits remain a threat, this development highlights the fact that cybercriminals are increasingly focusing on foundational network infrastructure to gain a foothold in high-value environments. 

The use of virtual private networks (VPNs) as a critical defence mechanism against a variety of cyber threats has long been regarded as a crucial aspect of protecting digital communications from a wide range of threats. VPNs are effective in neutralising the risks associated with man-in-the-middle attacks, which involve unauthorised parties trying to intercept or manipulate data while it is in transit by encrypting the data transmissions. Through this layer of encryption, sensitive data remains secure, even across unsecured networks. 

One of the most prominent use cases for VPNs is that they serve the purpose of protecting people using public Wi-Fi networks, which are often vulnerable to unauthorised access. It has been shown that VPNs are significantly less likely to expose or compromise data in such situations because they route traffic through secure tunnels. Additionally, VPNs hide the IP addresses of users, thereby providing greater anonymity to users and reducing the possibility of malicious actors tracking or monitoring them. 

As a result of this concealment, network resources are also protected against distributed denial-of-service (DDoS) attacks, which often use IP addresses as a method of overloading network resources. Even though VPNs have been around for decades, their use today does not suffice as a standalone solution due to the increasingly complex threat landscape that exists in today's society. To ensure comprehensive protection against increasingly sophisticated attack vectors, it is important to integrate their capabilities with more advanced, adaptive cybersecurity measures. 

It seems that conventional security frameworks, such as Firewalls and VPN,s are becoming increasingly outpaced as the cybersecurity landscape continues to evolve due to the sophistication and frequency of modern threats, which have increased significantly over the past few years. Businesses across many industries are experiencing an increasing number of breaches and vulnerabilities, and traditional methods of addressing these vulnerabilities are no longer capable of doing so. 

Due to the widespread transition from on-premises infrastructure to remote and digitally distributed work environments, legacy security architectures have become increasingly vulnerable, forcing enterprises to reassess and update their defence strategies. Firewalls and VPNs were once considered to be the cornerstones of enterprise network security; however, in today's increasingly complex threat environment, they are having trouble meeting the demands. 

In the past, these technologies have played an important role in securing organisational boundaries, but today, the limitations of those technologies are becoming increasingly apparent as organisations transition to a cloud-based environment and undergo rapid digital transformation. In the year 2025, technological advances are expected to change the way industry operations are conducted—for instance, the adoption of generative artificial intelligence, automation, and the proliferation of Iot and OT systems. 

Despite these innovations, there are also unprecedented risks associated with them. For example, malicious actors use artificial intelligence to automate spear-phishing efforts, craft highly evasive malware, and exploit vulnerabilities more quickly and accurately than they could previously. In addition, as Ransomware-as-a-Service (Raas) is on the rise, the barrier to entry for hackers is dropping, enabling a broader set of threat actors to conduct sophisticated, scalable attacks on businesses. To respond effectively to the complexities of a digitally driven world, organisations must adopt proactive, adaptive cybersecurity models that are capable of responding to the challenges of this dynamic threat environment and moving beyond legacy security tools.

There has been a significant shift in cybersecurity dynamics that has led to a worrying trend: malicious actors are increasingly exploiting Virtual Private Networks (VPNs) as a strategy to gain an advantage over their adversaries. Since VPNs were originally developed as a way to enhance privacy and protect data, they are increasingly being repurposed by cybercriminals to facilitate complex attacks while masking their identity digitally. Because VPNs are dual-purpose devices, they have become instruments of exploitation, which poses a significant challenge for cybersecurity professionals as well as digital forensics teams to deal with. 

There is one particularly alarming technique for using VPN software to exploit vulnerabilities, which involves deliberately exploiting these vulnerabilities to bypass perimeter defences, infiltrate secure systems, and deploy malware without being it. When attackers identify and target these vulnerabilities, they can easily bypass perimeter defences, infiltrate secure systems, and deploy malware without being detected. 

Frequently, such breaches act as entry points into larger campaigns, such as coordinated phishing campaigns that attempt to trick individuals into revealing confidential information. Further, VPNs are known for the ability to mask the actual IP addresses of threat actors, a technique known as IP address masquerading, which enables them to evade geographical restrictions, mislead investigators, and remain anonymous when they launch cyberattacks.

In addition to enabling adversaries to circumvent Firewalls, VPNs also offer the option of encrypting and tunnelling, thus enabling them to penetrate networks that would otherwise be resistant to unauthorised access with greater ease. As a matter of fact, VPNs are often used as a means of spreading malicious software across unreliable networks. By using an encrypted VPN traffic, malware can be able to bypass traditional detection methods, thereby circumventing traditional detection methods. The shield of anonymity provided by VPNs can also be used by threat actors to impersonate legitimate organisations and initiate phishing campaigns, compromising the privacy and integrity of users. 

VPNs can also facilitate the spreading of Distributed Denial-of-Service (DDoS) attacks, which is equally troubling. As these networks are anonymised, it makes it difficult to trace the origin of such attacks, which hinders the development of appropriate response strategies and mitigation strategies. This paradox underscores the complexity of modern cybersecurity, since one security tool can serve both as a tool for cybercrime and a tool for security. 

Even though VPNs remain an important tool to keep users safe and anonymous, their misuse requires a proactive and multifaceted response. To combat this misuse, people need robust technological defences combined with ongoing awareness and education initiatives, which will help us address this misuse effectively. Only through such comprehensive measures can organisations ensure the integrity of VPN technology and ensure trust in the digital privacy infrastructure as long as the technology remains intact. 

Check Point has issued a formal warning regarding the active targeting of its VPN devices as part of an ongoing increase in cyber threats against enterprise infrastructure. As a result of this disclosure, people have been reminded again that there is a sustained campaign aimed at compromising remote access technologies and critical network defences. It is the second time in recent months that a major cybersecurity vendor has released such an alert in the past couple of months. 

According to Cisco, in April 2024, organisations are being warned about a widespread wave of brute-force attacks against VPNs and Secure Shell (SSH) services that are likely to impact several devices from Cisco, Check Point, SonicWall, Fortinet, and Ubiquiti, among others. In the first observed attack around March 18, attackers used anonymised tools, such as TOR exit nodes, proxy networks, and other techniques to obfuscate and avoid detection and block lists, to launch the attacks. 

In March of this year, Cisco had also noticed that passwords were being sprayed at their Secure Firewall appliances that were running Remote Access VPN (RAVPN) services. According to analysts, this is a reconnaissance phase, likely intended to lay the groundwork for more advanced intrusions to follow. Following a subsequent analysis by cybersecurity researcher Aaron Martin, these incidents were linked to a malware botnet dubbed "Brutus", which was previously undocumented. 

Over 20,000 IP addresses were found to be associated with this botnet that was deployed from both residential and cloud-hosted environments, which greatly complicated the process of attribution and mitigation. The threat landscape has only been compounded by Cisco's announcement that a state-sponsored hacker group, also known as UAT4356, has been utilising zero-day vulnerabilities found within its Firepower Threat Defence (FTD) and Adaptive Security Appliances to exploit zero-day vulnerabilities. 

Known by the codename ArcaneDoor, the cyber-espionage campaign has been ongoing since November 2023, targeting critical infrastructure networks as well as governments around the world as part of a broader cyber-espionage campaign. As the frequency and complexity of cyber attacks continue to increase, it is apparent that legacy perimeter defences are no longer adequate in terms of security. 

A layered, intelligence-driven approach to security includes detecting threats in real time, hardening systems continuously, and responding to incidents in a proactive manner. As well as strengthening cybersecurity resilience, fostering collaboration between public and private sectors, sharing threat intelligence, and providing ongoing training to employees can make sure that they remain ahead of their adversaries. There is no doubt that the future of secure enterprise operations is going to be determined by the ability to anticipate, adapt, and remain vigilant in this rapidly evolving digital age.
Read more »
Twitter
Cyberattacks Cybersecurity CyberThreat DarkStorm DDoS Elon Musk malware Meta Twitter

Investigating the Role of DarkStorm Team in the Recent X Outage

 


It has been reported that Elon Musk’s social media platform, X, formerly known as Twitter, was severely disrupted on Monday after a widespread cyberattack that has caused multiple service disruptions. Data from outage monitoring service Downdetector indicates that at least three significant disruptions were experienced by the platform throughout the day, affecting millions of users around the world. During this time, over 41,000 people around the world, including Europe, North America, the Middle East, and Asia, reported outages. 
 
The most common technical difficulties encountered by users were prolonged connection failures and a lack of ability to fully load the platform. According to a preliminary assessment, it is possible that the disruptions were caused by a coordinated and large-scale cyber attack. While cybersecurity experts are still investigating the extent and origin of the incident, they have pointed to the growing trend of organised cyber-attacks targeting high-profile digital infrastructures, which is of concern. A number of concerns have been raised regarding the security framework of X following the incident, especially since the platform plays a prominent role in global communications and information dissemination. Authorities and independent cybersecurity analysts continue to analyze data logs and attack signatures to identify the perpetrators and to gain a deeper understanding of the attack methodology. An Israeli hacktivist collective known as the Dark Storm Team, a collective of pro-Palestinian hacktivists, has emerged as an important player in the cyberwarfare landscape. Since February 2010, the group has been orchestrating targeted cyberattacks against Israeli entities that are perceived as supportive of Israel. 
 
In addition to being motivated by a combination of political ideology and financial gain, this group is also well known for using aggressive tactics in the form of Distributed Denial-of-Service (DDoS) attacks, database intrusions, and other disruptive cyber attacks on government agencies, public infrastructure, and organizations perceived to be aligned with Israeli interests that have gained widespread attention. 
 
It has been reported that this group is more than just an ideological movement. It is also a cybercrime organization that advertises itself openly through encrypted messaging platforms like Telegram, offering its services to a variety of clients. It is rumored that it sells coordinated DDoS attacks, data breaches, and hacking tools to a wide range of clients as part of its offerings. It is apparent that their operations are sophisticated and resourceful, as they are targeting both vulnerable and well-protected targets. A recent activity on the part of the group suggests that it has escalated both in scale and ambition in the past few months. In February 2024, the Dark Storm Team warned that a cyberattack was imminent, and threatened NATO member states, Israel, as well as countries providing support for Israel. This warning was followed by documented incidents that disrupted critical government and digital infrastructure, which reinforced the capability of the group to address its threats. 
 
According to intelligence reports, Dark Storm has also built ties with pro-Russian cyber collectives, which broadens the scope of its operations and provides it with access to advanced hacking tools. In addition to enhancing their technical reach, this collaboration also signals an alignment of geopolitical interests. 

Among the most prominent incidents attributed to the group include the October 2024 DDoS attack against the John F Kennedy International Airport's online systems, which was a high-profile incident. As part of their wider agenda, the group justified the attack based on the airport's perceived support for Israeli policies, showing that they were willing to target essential infrastructure as part of their agenda. Dark Storm, according to analysts, combines ideological motivations with profit-driven cybercrime, making it an extremely potent threat in today's cyber environment, as well as being a unique threat to the world's cybersecurity environment. 
 
An investigation is currently underway to determine whether or not the group may have been involved in any of the recent service disruptions of platform X which occured. In order to achieve its objectives, the DarkStorm Team utilizes a range of sophisticated cyber tactics that combine ideological activism with financial motives in cybercrime. They use many of their main methods, including Distributed Denial-of-Service (DDoS) platforms, ransomware campaigns, and leaking sensitive information for a variety of reasons. In addition to disrupting the operations of their targeted targets, these activities are also designed to advance specific political narratives and generate illicit revenue in exchange for the disruption of their operations. In order to coordinate internally, recruit new members, and inform the group of operating updates, the group heavily relies on encrypted communication channels, particularly Telegram. Having these secure platforms allows them to operate with a degree of anonymity, which complicates the efforts of law enforcement and cybersecurity firms to track and dismantle their networks. 

Along with the direct cyberattacks that DarkStorm launches, the company is actively involved in the monetization of stolen data through the sale of compromised databases, personal information, and hacking tools on the darknet, where it is commonly sold. Even though DarkStorm claims to be an organization that consists of grassroots hackers, cybersecurity analysts are increasingly suspecting the group may have covert support from nation-state actors, particularly Russia, despite its public position as a grassroots hacktivist organization. Many factors are driving this suspicion, including the complexity and scale of their operations, the strategic choice of their targets, and the degree of technical sophistication evident in their attacks, among others. A number of patterns of activity suggest the groups are coordinated and well resourced, which suggests that they may be playing a role as proxy groups in broader geopolitical conflicts, which raises concerns about their possible use as proxies. 
 
It is evident from the rising threat posed by groups like DarkStorm that the cyber warfare landscape is evolving, and that ideological, financial, and geopolitical motivations are increasingly intertwined. Thus, it has become significantly more challenging for targeted organisations and governments to attribute attacks and defend themselves, as Elon Musk has become increasingly involved in geopolitical affairs, adding an even greater degree of complexity to the recent disruption of platform X cyberattack narrative. When Russian troops invaded Ukraine in February 2022, Musk has been criticized for publicly mocking Ukrainian President Volodymyr Zelensky, and for making remarks considered dismissive of Ukraine's plight. Musk was the first to do this in the current political environment. The President of the Department of Government Efficiency (DOGE), created under the Trump administration, is the head of the DOGE, an entity created under Trump’s administration that has been reducing U.S. federal employment in an unprecedented way since Trump returned to office. There is a marked change in the administration's foreign policy stance, signaling a shift away from longstanding US support for Ukraine, and means that the administration is increasingly conciliatory with Russia. Musk has a geopolitical entanglement that extends beyond his role at X as well. 
 
A significant portion of Ukraine's digital communication has been maintained during the recent wartime thanks to the Starlink satellite internet network, which he operates through his aerospace company SpaceX. It has been brought to the attention of the public that these intersecting spheres of influence – spanning national security, communication infrastructure, and social media – have received heightened scrutiny, particularly as X continues to be a central node in global politics. According to cybersecurity firms delving into the technical aspects of the Distributed Denial-of-Service (DDoS) attack, little evidence suggests that Ukrainian involvement may have been involved in the attack. 
 
It is believed that a senior analyst at a leading cybersecurity firm spoke on the condition of anonymity because he was not allowed to comment on X publicly because of restrictions on discussing X publicly. This analyst reported that no significant traffic was originating from Ukraine and that it was absent from the top 20 sources of malicious IPs linked to the attack. Despite the fact that Ukrainian IP addresses are rarely spotted in such data due to the widespread practice of IP spoofing and the widespread distribution of compromised devices throughout the world, the absence of Ukrainian IP addresses is significant since it allows attention to be directed to more likely sources, such as organized cybercrime groups and state-related organizations. 
 
There is no denying the fact that this incident reflects the fragile state of digital infrastructure in a politically polarized world where geopolitical tensions, corporate influence, and cyberwarfare are convergent, and as investigations continue, experts are concerned that actors such as DarkStorm Team's role and broader implications for global cybersecurity policy will continue to be a source of controversy.
Read more »
TOX
Cyber Attacks CyberCrime CyberThreat DDoS DradonForce Meta's dominance RAMP RansomHub Ransomware Nerwork Rasnowmare attacks TOX

DragonForce Asserts Dominance Over RansomHub Ransomware Network

 


A series of targeted attacks involving DragonForce, a ransomware group that has reportedly been operating in the Middle East and North Africa region (MENA) are reported to have been launched against companies in the Kingdom of Saudi Arabia (KSA) amidst the escalating cyber threats throughout the region. A significant incident involving a real estate and construction company based in Riyadh, which underscored the group's commitment to targeting high-value targets within critical sectors, was one of the most significant incidents involving the group. 

In the recent past, there has been an increase in the sophistication of cyberattacks targeting major companies and vital infrastructure around the region, resulting in this recent development. In addition to demonstrating the increasing capabilities of threat actors such as DragonForce, this breach also emphasizes the need to maintain enhanced vigilance and preparedness among cybersecurity professionals and law enforcement agencies within the Kingdom of Saudi Arabia and its surrounding countries. 

Experts are anticipating that as the group's tactics continue to be effective, they will expand beyond MENA in terms of geographic scale. This incident has wider implications than just the immediate victims. As a cautionary marker of the rapidly evolving threat landscape, this incident serves as a warning of the threats that may threaten global digital security systems in the future. 

Cyble, a cybersecurity firm, has confirmed that a threat actor known as DragonForce recently posted a message on the RAMP cybercrime forum announcing a new “project.” This announcement was later mirrored on DragonForce's onion-based data leak site (DLS), marking the beginning of a new operational infrastructure for DragonForce. A part of this initiative was the introduction of two new onion domains that DragonForce launched, both protected by CAPTCHA verification, which aligned with the group's traditional Tor-based deployment practices. 

Interestingly, both of these sites are prominently branded and emblazoned with RansomHub, a group that specializes in ransomware. While it is still unclear whether DragonForce has seized control of RansomHub in the past or has just infiltrated its systems, Cyble has observed that RansomHub's onion site has been unavailable since March 31. As a result of this prolonged downtime, there has been considerable speculation within the cyber security community as to whether DragonForce may be planning to acquire or hostilely take over the RansomHub infrastructure. 

In addition to this development, DragonForce recently formally announced its plans to expand its ransomware-as-a-service operations, which are aligned with DragonForce's broader strategy of expanding the company's ransomware-as-a-service operations. As part of this initiative, the group introduced an affiliate-based model in which third-party actors—or “franchisees”—can operate under DragonForce brand names. 

As part of the new model, affiliates will reportedly be provided with comprehensive backend support, which includes anti-DDoS defences, advanced encryption protocols, and specialized toolkits that allow them to manage infections across a range of environments, including ESXi, NAS, BSD, and Windows. A significant investment is being made into infrastructure to attract and empower partners, thereby enhancing the group's reach and impact as a whole. This is a deliberate attempt by the group to streamline operations and present a more organized and business-like ransomware platform to victims by including features like encryption status monitoring and persistent communication mechanisms. 

Despite the uncertainty that surrounds RansomHub's future, it is currently possible that it will become fully absorbed under the DragonForce brand or continue to operate independently, but current indicators suggest that a possible consolidation within the ransomware ecosystem may result in increased sophistication and coordination among cybercriminals. 

Despite the increased competition in the ransomware-as-a-service (RaaS) market, DragonForce is positioning itself as a prominent player by offering its affiliates one of the most attractive commission structures on the dark web. This aggressive profit-sharing model aims to attract skilled cybercriminals in an attempt to build an affiliate network that is loyal, results-driven and enables partners to keep up to 80% of ransom payments successfully extorted from victims. A key component of DragonForce's communication strategy is TOX, a Tor-based instant messaging platform that serves as the main channel for communicating with both victims and affiliates as well as serving as a secure, secure means of communicating. 

In addition to providing the public key to the group, RAMP, an underground forum used by ransomware operators and access brokers, is also available to anyone interested in further securing these exchanges. This persistent presence on the platform, especially a forum visit traced back to February 24, 2025, indicates a sustained effort by them to maintain visibility and engagement within the key cybercriminal community. In addition to serving as a recruitment hub, the DragonForce affiliate network is also highlighted in advertisements displayed on RAMP as one of the most reliable networks within the dark web. With support for multiple platforms, including Windows, Linux, and ESXi, the ransomware framework is marketed as a robust system that can deliver consistent payouts while offering extensive back-end support. 

As of January 20th, 2025, the most recent affiliate-related announcements have been posted, but the associated PGP encryption key has been generated since September 2024, further demonstrating the organization's systematic approach to security. A prior operational leak involved sensitive affiliate-facing URLs that were used for extortion from victims. DragonForce underwent significant internal reforms after this. Among these reforms was the implementation of a new vetting process that requires prospective affiliates to provide verifiable evidence of victim access, such as data volume metrics and file trees, to justify their eligibility. 

Essentially, this shift was meant to ensure that only committed and capable individuals could be onboarded, which would lead to improved operational security and integrity for the organization. Furthermore, DragonForce offers a variety of premium services to vetted affiliates, including call services, which allow direct pressure to be applied to victims, as well as advanced decryption capabilities that can be used on NTLM and Kerberos hashes. A lot of these services are especially useful when access brokers are trying to navigate post-compromise stages in environments like Active Directory that are complex. 

It is important to remember that DragonForce ransomware is an independent entity and should not be confused with the Malaysian hacktivist group that operates under the same name. This group has been known for defacing websites and launching DDoS attacks, among other things. While the two organizations share a name, they are completely different in their motivations, structures, and methods, and they are not known to be affiliated with each other. 

As ongoing speculation continues regarding the nature of a potential alliance between RansomHub and DragonForce continues to surface, Cyble reports that this latest development closely follows DragonForce's announcement of a significant expansion of its ransomware service (RaaS) operations on March 18. The DragonForce Ransomware Cartel, as part of this strategic shift, introduced the franchise-style affiliate program, whereby partners can operate and launch their own ransomware campaigns under the umbrella of DragonForce Ransomware Cartel. 

Affiliates can take advantage of this model because it allows them to maintain a high degree of operational independence while still being overseen by a central management team. Backend support is provided in a comprehensive way to all participants, including dedicated admin and client panels as well as secure data hosting environments and a resilient, always-on infrastructure that is secured with anti-DDoS mechanisms that keep the system running smoothly. This structure is designed to maintain the group's overarching operational standards as well as balance affiliate autonomy with consistency and control. 

It is worth noting that DragonForce has also introduced a series of advanced technical upgrades to its ransomware payloads targeted at ESXi, NAS, BSD, and Windows platforms along with its structural expansion. In addition, several sophisticated features have been added to the security system, including real-time encryption tracking, detached execution processes, persistent user interface messages to reinforce ransom demands, and better recovery protocols to reduce disruption. In addition, the group developed the two-pass header protection technology to enhance the cryptographic robustness of the encryption engine by using external entropy sources. This technique is also integrated with the BearSSL AES-CTR encryption protocol to enhance its cryptography. 

In addition to the technological and infrastructure advances made by DragonForce, Cyble points out that DragonForce's commitment to scale its operations at a very high level of professionalism will be reflected in these advancements. By creating a more refined and affiliate-focused ransomware ecosystem, the company hopes to attract experienced cybercriminals to collaborate with them. During the past year, DragonForce has continued to grow as a more structured and formidable player within the ransomware-as-a-service ecosystem. 

However, its recent activities indicate a broader shift in cybercriminal activity, characterized by a shift towards increasing sophistication, strategic alliances, and operational maturity in the cybercriminal underground. The apparent takeover or alignment of RansomHub with the company and the dramatic advancements in infrastructure and technology, along with the emergence of a series of threats, highlight the urgent need for the cybersecurity stakeholders to reevaluate threat models and strengthen their defensive positions. 

The most effective way for organizations, particularly those in critical sectors and high-risk regions, is to implement proactive threat intelligence strategies, enforce stringent access controls, and seriously prioritize incident response preparedness in order to counter evolving threats. With a digital landscape in which adversaries adopt business-like approaches to cause greater impact, only a cohesive and anticipatory security approach can prove robust in the face of the rising tide of cyber-extortion, which is becoming more organized and sophisticated by the day.
Read more »
Subscribe to: Posts (Atom)