Old-school hacktivism is back because it never went away

Hacktivism may have dropped off of organization radars over the past few years, but it is now very visibly coming from what is believed to be Bangladesh, thanks to a group tracked by cybersecurity firm Group-IB.

Mysterious Team Bangladesh (MTB) first appeared in 2020, but didn't really get going until mid-2022. The bulk of its activity took place after June 2022 and hit its peak (so far) in May of the same year.

Group-IB found that between June 2022 and July 2023, MTB carried out 846 attacks, of which over 77 percent occurred between February and May 2023. "There are dozens of active hacktivist groups at present," said Group-IB in a Thursday blog post. It called MTB "particularly active, notorious, and highly organized."

Back in 2019, threat intel firm Recorded Future claimed that it was tracking seven active hacktivist groups compared to 28 in 2016. The chaotic protest method seemed to be losing steam.

Recorded Future attributed the drop in part to "a decline in amplifying discussions (e.g. news articles and social media shares) around hacktivism-related cyberattacks."

Group-IB's Threat Intelligence team shared its take on the perceived decline with The Register, saying: "We cannot confidently state that hacktivism is on the decline. In fact, there is usually an uptick in hacktivist activity to accompany geopolitical conflicts or tensions. There is a general trend towards hacktivist groups becoming more localized, taking shots at national or regional-based targets, rather than launching widespread global campaigns."

MTB is driven by religious and political motives, said Group-IB. The hacktivist group's cookie-laden Blogspot-redirected website states that the group is working to protect Bangladesh cyberspace, as well as "removing adult and atheist contents" [sic] from social media.

The group primarily targets government, financial, and transportation sector organizations in India and Israel, but has also hit other countries, notably Senegal, Ethiopia, Australia, Sweden, and the Netherlands.

It prefers to attack countries rather than individual companies in the form of multi-wave campaigns, prioritizing government resources and the websites of banks and financial organizations. Failing those, MTB will mass target domains within the country with which it takes offense.

India in particular has been the subject of MTB attacks. The subcontinent was first hit in June 2022 followed by at least four sub-campaigns.

• Network security guy in extradition tug of war between US and Russia
• Sorry script kiddies, hacktivism isn't cool anymore: No one cares about stuff that's easy-peasy to defend against
• Over 100,000 compromised ChatGPT accounts found for sale on dark web
• Someone's spreading an MBR-trashing copy of the Christchurch killer's 'manifesto' – and we're OK with this, maybe?

As for its attack methods, the group leans into old-school hacktivist favorites. Some 84 percent of its attacks are DDoS, 9 percent are website defacement, and a mere 2.6 percent involve database access, according to Group-IB.

MTB relies on open source utilities for conducting DDoS and defacement attacks, and its favorite exploits lie within PHPMyAdmin and WordPress.

Group-IB also clocked that MTB works in a cyclical nature. First the group notices a news event that creates a target out of a specific country. The group attacks that country for on average less than a week, loses interest, and reverts back to attacking its favorites, India and Israel. Group-IB says MTB attacks Israel for actions against Palestinian people; and India for abusing Muslim prophet Muhammad, according to its Everybody Wiki page.

MTB certainly hasn't been acting surreptitiously. In addition to a website and an Everybody Wiki page, it also maintains accounts with the website formerly known as Twitter, Facebook, YouTube, Instagram, LinkedIn, Medium, Telegram, and drumroll please… Pinterest. At this point, it wouldn't be surprising to find out the cybergroup had merch.

"Unlike traditional cybercriminals or nation-state threat actors who try to remain unnoticed, hacktivists aim to draw as much attention to their cause as possible, be it political, religious, or both," explained Group-IB.

The hacktivists also appears to align themselves with Anonymous. MTB posts Anonymous's tagline on many of its socials and frequently retweets groups claiming to be the famous hacker collective. Mysterious Team Bangladesh, however, stops short of using Anonymous branding, such as its logo or a Guy Fawkes mask.

Whether an entity using the name and iconography of Anonymous (EUTNAIOA) or not, Group-IB doesn't think MTB is going away anytime soon.

"We assume that the group will expand its operations further in 2023. They will likely intensify their attacks in Europe, Asia-Pacific, and the Middle East, and expect that they will continue to have a particular focus on financial companies and government entities," said the cybersecurity firm. ®