Share this article on:
Meta has claimed it disrupted two cross-platform cyber espionage campaigns targeted at Facebook, which aimed to deliver malware via online platforms.
The company made the announcement after publishing Meta's quarterly Adversarial Threat Report, Second Quarter 2022, last week.
Ben Nimmo, Meta's global threat intelligence lead and David Agranovich, director of global threat disruption, confirmed the company sabotaged the operations of two hacker groups targeting Facebook in cyber espionage campaigns after it noticed multiple policy violations worldwide by two hacking groups, both of which operated out of South Asia.
The first group has been identified as Bitter APT aka T-APT-17. Active since 2013, this group was disrupted in the 2nd quarter of 2022, targeting organisations in the engineering, energy, and government sectors.
The second group is APT36, which is known for delivering Crimson RAT, and it had been targeting people in India, Pakistan, Afghanistan, UAE, and Saudi Arabia. Primary victims included government and military officials, human rights employees, and people associated with non-profit organisations.
According to Meta's investigation team, the activities of APT36, which is also known as Earth Karkaddan, is connected to Pakistan-based state-linked actors.
To target people online, Bitter APT used a number of malicious tactics including social engineering. The cyber actors also used different strategies to distribute malware, such as link-shortening services, infected websites, malicious domains, and third-party hosting service providers.
A similar case was noticed with ATP36, with their TTPs (tactics, techniques, and procedures) low in sophistication, but persistent. Email providers, social media, and file-hosting services were the targets.
According to Meta, the hacker groups were focused on targeting people in India, Pakistan, New Zealand, and the United Kingdom. While the hacking gangs had low operational security and sophistication, both were well-resourced and persistent.
The hackers used fake personas, posing as journalists, young women, and activists to establish connections online and gain a victim's trust, before luring the victim into downloading malware.
The Meta researchers also discovered Bitter ATP had been using a combination of social engineering, adversarial adaptation, Android malware dubbed by Meta as Dracarys, and an iOS application.
"As such, APT36 is known for using a range of different malware families, and we found that in this recent operation it had also Trojanised (non-official) versions of WhatsApp, WeChat, and YouTube with another commodity malware family known as Mobzsar or CapraSpy," Meta wrote in the report.
Bitter APT deployed a chat application for iOS, which the group distributed through Apple's Testflight service. Still, there’s no evidence that the application was just used for social engineering or contained malware.
They also used Dracarys Android malware to exploit accessibility services for carrying out malicious activities on the infected devices. The malware infiltrated unofficial versions of Telegram, Signal, WhatsApp, and YouTube. The malware collected device data, messages, call logs, user files, contacts, and location data. It was also capable of taking photos, installing apps, and activating the microphone.
"This threat actor is a good example of a global trend we’ve seen where low-sophistication groups choose to rely on openly available malicious tools, rather than invest in developing or buying sophisticated offensive capabilities," Meta said.
These low-cost tools have been designed to require less technical expertise to deploy, but yield results for the attackers.
"It democratises access to hacking and surveillance capabilities as the barrier to entry becomes lower. It also allows these groups to hide in the ‘noise’ and gain plausible deniability when being scrutinised by security researchers," Meta added.
While Meta has mitigated these security incidents in this instance, users should still be vigilant of social media security threats and take preventative steps to protect their data.
[Related: Over $1.2bn stolen via weak crypto ‘bridges’, report reveals]