Three different threat actors leveraged hundreds of fictitious personas crafted on Facebook and Instagram to target individuals located in South Asia as part of separate attacks.
“Each of these APTs relied heavily on social engineering to trick people into clicking on malicious links, downloading malware, or sharing personal information over the Internet,” said Guy Rosen, chief security officer of Meta information. “This investment in social engineering meant that these threat actors didn’t have to invest as much on the malware side.”
The fake accounts, in addition to using traditional baits such as women looking for a romantic connection, disguised themselves as recruiters, journalists or the military.
At least two of the cyber espionage efforts involved the use of low-sophistication malware with reduced capabilities, likely in an attempt to bypass app verification checks established by Apple and Google.
One of the groups that flew under Meta’s radar is a Pakistan-based Advanced Persistent Threat Group (APT) that relied on a network of 120 Facebook and Instagram accounts and rogue apps and websites to infect military personnel in India and between the Pakistan Air Force. with GravityRAT in the guise of cloud storage and entertainment applications.
The tech giant also removed around 110 accounts on Facebook and Instagram linked to an APT identified as Bahamut that targeted activists, government employees and military personnel in India and Pakistan with Android malware published on Google Play Store. The apps, which were presented as secure chat apps or VPNs, have since been removed.
Finally, it took down 50 accounts on Facebook and Instagram linked to an India-based threat actor called Patchwork, which leveraged malicious apps uploaded to the Play Store to collect data from victims in Pakistan, India, Bangladesh , Sri Lanka, Tibet and China.
Also disrupted by the meta were six adversary networks from the US, Venezuela, Iran, China, Georgia, Burkina Faso and Togo that engaged in what it called “coordinated inauthentic behavior” on Facebook and other social media platforms such as Twitter, Telegram, YouTube, Medium, TikTok, Blogspot, Reddit and WordPress.
All of these geographically dispersed networks are said to have created brands of fraudulent media outlets, hacktivist groups and NGOs to build credibility, with three of them linked to a US-based marketing firm called Predictvia, a political marketing consultancy in Togo known as Groupe. Panafricain pour le Commerce et l’Investissement (GPCI) and the Department of Strategic Communications of Georgia.
Two networks originating in China operated dozens of fraudulent accounts, pages and groups on Facebook and Instagram to target users in India, Tibet, Taiwan, Japan and the Uighur community.
In both cases, Meta said it removed the activities before they could “build an audience” on its services, adding that it found associations that connected a network with people associated with a Chinese IT company known as the Xi’an Tianwendian Network Technology.
Iran’s network, according to the social media giant, mainly highlighted Israel, Bahrain and France, corroborating an earlier assessment by Microsoft of Iran’s involvement in the hacking of the French satirical magazine Charlie Hebdo in January 2023.
“The people behind this network used fake accounts to post, like and share their own content to make it appear more popular than it was, as well as to manage pages and groups masquerading as hacktivist teams” , Meta said. “They also liked and shared other people’s posts on cybersecurity topics, which likely makes the fake accounts appear more credible.”
Learn how to stop ransomware with real-time protection
Join our webinar and learn how to stop ransomware attacks with real-time MFA and service account protection.
Save my seat!
The disclosure also coincides with a new Microsoft report, which revealed that Iranian state-aligned actors are increasingly relying on cyber-enabled influence operations to “boost, exaggerate, or compensate for lack of access to the network or its cyber attack capabilities” from June 2022.
Redmond has linked the Iranian government to 24 such operations in 2022, compared to seven in 2021, including groups tracked like Moses Staff, Homeland Justice, Abraham’s Axe, Holy Souls and DarkBit. Seventeen of the operations have been carried out since June 2022.
The Windows maker further said it observed “several Iranian actors attempting to use mass SMS messages in three cases during the second half of 2022, likely to enhance the amplification and psychological effects of their influence operations cybernetics”.
The change in tactics is also characterized by the rapid exploitation of known security flaws, the use of victim websites for command and control, and the adoption of custom-made implants to avoid detection and steal information from victims
The operations, which Israel and the US have pointed out as retaliation for allegedly fomenting unrest in the nation, have sought to bolster Palestinian resistance, instigate unrest in Bahrain and counter the normalization of Arab-Israeli relations.
Ikaroa, a full stack tech company, has uncovered a massive cyber espionage operation being conducted against South Asian countries. What makes this discovery even more alarming is that the operations are being conducted through social media platforms. It appears that the hackers have perfected their techniques such that they can infiltrate and exfiltrate data from the social media networks of multiple nations. This is done by intercepting messages, images and other digital content.
The malicious actors are using a technique called ‘phishing’ to gain access to accounts and networks. They then use this access to steal confidential information and sensitive data. In some cases, they are able to manipulate social media interactions to spread propaganda and manipulate public opinion.
Ikaroa has been closely monitoring the situation and has proposed steps to mitigate the risk from such cyber espionage activities. This includes providing comprehensive technical support to affected parties and conducting threat intelligence to trace the origins of the attack.
The cyber espionage operations are a serious security threat for South Asia and could lead to massive data loss and reputational damage for the targeted countries. We urge all countries to take urgent steps to counter the threat and to build robust systems to protect their citizens.