In most cases, cybercriminals attempt to leave as few traces and details about their origin as possible. However, there is one exception: hacktivists. Unlike traditional cybercriminals or nation-state threat actors who try to remain unnoticed, hacktivists aim to draw as much attention to their cause as possible, be it political, religious, or both.
The threat of hacktivism is often underestimated. Hacktivists frequently target critical infrastructure facilities, telecom companies, financial institutions, and governmental organizations. Unlike ransomware threat actors, hacktivists do not engage in negotiations. Their actions are intended to disrupt critical systems, leading to potentially massive monetary and reputational losses for affected organizations.
Modern hacktivists possess a comparable level of sophistication as financially motivated threat actors, and they can have a similar impact. The wide availability of malware allows them to not only carry out massive DDoS attacks but also full-scale data breaches. Furthermore, modern hacktivist groups collaborate in large collectives and exhibit a higher level of organization.
As Group-IB experts noted in the Hi-Tech Crime Trends report 2022/2023, global geopolitical conflicts, like the one we are currently witnessing, serve as catalysts for hacktivist activities. There are dozens of active hacktivist groups at present. However, one of them has been particularly active, notorious, and highly organized.
Mysterious Team Bangladesh emerged in 2020 but only began to garner worldwide attention in 2022 after a series of cyber raids against high-level targets in India, Israel, and other countries. This hacktivist collective has been primarily targeting government, financial, and transportation sector organizations with a strong focus on India. Since June 2022, Mysterious Team Bangladesh has carried out more than 750 DDoS attacks and 78 website defacements. Additionally, it is believed that in some cases the group was also able to gain access to web servers and administrative panels, presumably using exploits for widely known vulnerabilities or common/default passwords for admin accounts.
In this report, the Group-IB Threat Intelligence unit analyzed the activities of Mysterious Team Bangladesh. Group-IB’s experts analyzed the gang’s history, frequency of their attacks, geographical and sectoral distribution of their targets, identified its allied hacktivist groups, and examined all of the group’s channels where its members post information about their victims and upcoming attacks.
The blog covers the gang’s tactics and tools that Mysterious Team Bangladesh uses, as well as further insights that will help corporate cybersecurity teams and threat intelligence experts to better understand and track the gang’s operations more effectively.
- Mysterious Team Bangladesh carried out over 750 DDoS and 70+ website defacements within a year.
- Group members allege that the gang was created in 2020, although the bulk of their activity has taken place since June 2022.
- The group most frequently attacks logistics, government, and financial sector organizations in India and Israel.
- The group is primarily driven by religious and political motives.
- The gang initiates multi-wave campaigns focused on specific countries rather than individual companies.
- Before conducting a full-scale attack the group carries out a short “test attack” to check their targets’ resistance to DDoS attacks
- The hacktivist group most often exploits vulnerable versions of PHPMyAdmin and WordPress.
- Mysterious Team Bangladesh relies on open-source utilities for conducting DDoS and defacement attacks.
- A Telegram user under the nickname D4RK_TSN is believed to be the founder of Mysterious Team Bangladesh
General information about the group
Mysterious Team Bangladesh was founded by a threat actor who goes by D4RK TSN, according to the EverybodyWiki page which was created by the user with the same nickname:
The page was edited by the same user over 20 times. The most recent edit was made D4RK TSN on August 31, 2022:
The profile’s creation date also correlates with the registration data of www.mysteriousteambd.online, which is believed to be the group’s personal blog where they occasionally post information about their attacks. According to the information from the site, the group was founded in 2020.
Although two of the group’s resources claim it was formed in 2020, there is no concrete evidence of any activity between 2020 and 2022. The group’s EverybodyWiki page was only created in 2022, and the domain name www.mysteriousteambd.online was registered in 2022, according to WHOIS data. One possibility could be that the group operated under a different name in the past and later underwent a rebranding.
Group-IB researchers identified multiple social media channels, managed by Mysterious Team Bangladesh:
|Backup blog currently used to redirect traffic||http://mysteriousteam0.blogspot.com/|
The following emails are associated with Mysterious Team Bangladesh’s social media pages:
|mysteriousteam0@cyberservices[.]com||Mentioned on the group’s website|
|mysteriousteam0@gmail[.]com||Discovered based on nickname similarities.
The specified mailbox name completely repeats the nickname used by the group in the Telegram
The group’s Telegram channel has been active since June 2022 and remains the most comprehensive source of Mysterious Team Bangladesh’s past and upcoming attacks:
To better understand the nature, geography, and frequency of the group’s attacks as well as to identify their victims, Group-IB’s Threat Intelligence unit analyzed the activity in this Telegram channel.
An analysis of the messages posted on the channel revealed that the members of the group most likely align themselves with Bangladesh. As such, on August 30, 2022, the group published materials related to the conflict on the border of Myanmar and Bangladesh:
Later, on December 15, 2022, the group posted a message in celebration of Bangladesh’s Victory Day, which further indicates their connection to the country.
Mysterious Team Bangladesh is primarily driven by religious and political motives. The religious element stands out among others. A prime example is a recent campaign targeting multiple organizations in Sweden, potentially triggered by the incident involving the burning of the Quran.
Similarly, a campaign launched against Australian organizations may have stemmed from the use of the Arabic word for “God” in the fashion show’s clothing designs in Melbourne, according to messages posted on the group’s Telegram channel:
Below are screenshots from the Telegram channel of Mysterious Team Bangladesh which provide information about other religious-driven attacks of the group:
Victims, geography, and frequency of attacks
Based on data collected from the gang’s Telegram channel, Group-IB compiled an activity timeline of attacks carried out by Mysterious Team Bangladesh between June 2022 and July 2023.
As can be seen from the graph above, the group’s activity reached its peak in May 2023, when Mysterious Team Bangladesh announced a large-scale campaign against India.
It is in India where the group carried out the majority of its attacks between June 2022 and September 2023. The very first attack against India carried out by the Mysterious Team Bangladesh hacktivist group took place on June 22, 2022. Since then, the group has launched at least four sub-campaigns aimed at India.
Based on our findings collected from the group’s Telegram channel, we assume that there is a particular pattern in the gang’s attacks. The cycle begins with the group noticing a news event, which becomes a trigger for launching a “thematic” campaign against a specific country. On average, such campaigns do not last longer than a week. After that the group typically loses interest in the targeted country and reverts to its typical targets: India and Israel.
In general, the gang focuses on specific countries rather than individual companies or sectors. Based on the group’s activity in their Telegram channel, we assume that before the actual attack, the members of Mysterious Team Bangladesh conduct a short-term low impact DDoS attack in order to test the resilience of their targets:
The group shows a preference for targeting government resources and the websites of banks and financial organizations. However, if the group is unable to find a victim within these sectors, they try to massively exploit domains within the targeted country’s domain zone.
Types of attacks
DDoS and defacement attacks are the most common for Mysterious Team Bangladesh. Between June 2022 and July 2023, the gang carried out 770 DDoS attacks and 78 website defacements.
However, in some cases the attackers exfiltrated data from targeted organizations – some files with the .sql extension published in the group’s Telegram channel were identified by Group-IB researchers. Presumably, Mysterious Team Bangladesh used a toolkit for sql injections:
One of the pages defaced by Mysterious Team Bangladesh in June 2022 can be seen below:
Mysterious Team Bangladesh can quickly launch attacks against a large number of targets, meaning that it can also be assumed that the group has scripts for the mass exploitation of websites. These scripts likely target websites using the same frameworks or server software versions.
Tools and Tactics
In general, based on the analysis of the discovered victims, it is reasonable to assume that the group prioritizes victims that use widely deployed and outdated services, such as PHPMyAdmin (a software for MySQL database management) and WordPress (a website content management system).
The use of PHP may involve PHPMyAdmin, both frameworks are quite common and have a large number of known exploits, which underlines the importance of timely software updates.
According to a report by Network Intelligence, Mysterious Team Bangladesh could use the”./404FOUND.MY” utility, which originally was developed by a DragonForce Malaysia hacktivist group, according to another report by CloudSec:
According to the CloudSEK report that analyzes one of the group’s campaigns, Mysterious Team Bangladesh uses the following utilities:
- Raven-Storm toolkit
All of the abovementioned utilities are open source and are widely available. The group most likely uses them to carry out DDoS attacks at different network layers: Layer 3, Layer 4, and Layer 7. It means that the group is capable of carrying out DDoS attacks directed at individual servers, as well as executing DNS amplification attacks that exploit the behavior of certain DNS servers to generate a large volume of traffic directed towards a victim’s network.
Members of Mysterious Team Bangladesh
During the analysis of the gang’s Telegram channel, Group-IB researchers encountered several unique nicknames appearing to belong to members of the group. The founder and the leader of the group, D4RK_TSN, is the most active member.
OSINT analysis of the discovered group’s resources revealed the following Pinterest profile:
According to the cached version of the web page, the profile used to have the following URL “https://www.pinterest.com/jisan417/”, which now redirects to “https://www.pinterest.com/D4RKTSN/”. The page is believed to be related to the leader of the Mysterious Team Bangladesh.
Thus, it can be assumed that jisan417 is one of the D4RK_TSN’s aliases.
The Pinterest profile also contains a link to a blogspot.com resource (http://mysteriousteam0.blogspot.com/), which redirects users to the group’s main site (https://www.mysteriousteambd.online/).
The messages found in the group’s Telegram channel have a similar structure: in most cases, the “message header” shortly describes the target of the attack, followed by the list of nicknames or names of allied hacktivist collectives involved in the campaign. Also, the group was seen reposting the messages of allied hacktivist groups:
Group-IB identified other alleged members of Mysterious Team Bangladesh who occasionally take part in the attacks with the following usernames:
- Hacktivist Of Garuda
- Unknown69 Hacktivist
- D4RK TSN
- S1l3t K1ll3r
- Cyb3r Pr0t3ct0r
- C0MM4ND3R P3T3R
- M1r4 V41
- JUST1N CL4RK
- $H4M B4BU
- D10S B0y
Likewise, an analysis of messages reposted by the channel allowed us to identify the list of collectives Mysterious Team Bangladesh likely supports or cooperates with:
- Khalifah Cyber Crew
- 4 EXPLOITATION
- 177 Members Team
- 1915 Team
- 1919 Team
- DragonForce Malaysia
- EAGLE CYBER CREW
- GANOSEC TEAM
- Ghost Clan
- GHOSTS of Palestine
- Hacktivist Indonesia
- Localhost Malaysia
- VulzSec Team
- TEAM HEROX
As of July 2023, Mysterious Team Bangladesh continues to be highly active, targeting mainly India and Israel. However, the attackers have recently launched campaigns against organizations in Senegal, Ethiopia, Australia, Sweden, the Netherlands, and other countries.
We assume that the group will expand its operations further in 2023. They will likely intensify their attacks in Europe, Asia-Pacific, and the Middle East, and expect that they will continue to have a particular focus on financial companies and government entities.
The renaissance of hacktivism across the globe may have its roots in the ongoing geopolitical conflict, during which hacktivists have carried out multiple campaigns. As can be seen, modern hacktivist groups are less motivated by any ideology but strive to develop their own brand and recognition in order to subsequently monetize their information resources through the sale of advertising.
The risk of hacktivism should be mapped and properly mitigated as part of threat intelligence programs of political, government, and some private sector organizations that may become targets of hacktivists.
Recommendations for organizations:
- Deploy load balancers to distribute traffic.
- Configure firewalls and routers to filter and block suspicious traffic.
- Utilize content delivery networks (CDNs) to distribute traffic.
- Regularly update web-server backend software to prevent exploitation with common CVEs.
- Use Group-IB’s Threat Intelligence to obtain up-to-date information about hacktivist groups’ TTPs and their upcoming attacks. Our tailored threat intelligence provides organizations with contextual information about their specific threat landscape and relevant risks. Through customized reports and notifications, businesses receive comprehensive insights, moving away from generic threat bulletins and ultimately improving the time and efficiency in risk mitigation.