Meta Takes Action Against Cyber Espionage Operations Targeting Facebook in South Asia

  • Meta said it took action against two cyber espionage operations in South Asia: Bitter APT and APT36, respectively.

    The company made the announcement in its Quarterly Adversarial Threat Report, Second Quarter 2022, which it published last Thursday.

    In the report, Ben Nimmo, global threat intelligence lead, and David Agranovich, director of threat disruption, provided insight into the risks Meta saw worldwide and across multiple policy violations, particularly those perpetrated by those two hacking groups.

    “We took action against a group of hackers — known in the security industry as Bitter APT — that operated out of South Asia, and targeted people in New Zealand, India, Pakistan and the United Kingdom,” read the report.

    In regard to this operation, Meta said that while the group was relatively low in sophistication and operational security, it was persistent and well-resourced.

    “Bitter used various malicious tactics to target people online with social engineering and infect their devices with malware.”

    The group would have used various link-shortening services, malicious domains, compromised websites and third-party hosting providers to distribute their malware.

    In terms of tactics, techniques, and procedures (TTPs), Bitter would have used a mix of social engineering, an iOS application, an Android malware Meta called Dracarys, and adversarial adaptation.

    As for Meta’s action against APT36, the company said its investigation connected this activity to state-linked actors in Pakistan.

    “[The group] targeted people in Afghanistan, India, Pakistan, UAE and Saudi Arabia, including military personnel, government officials, employees of human rights and other non-profit organizations and students.”

    Just like Bitter APT, Meta said APT36’s TTP were relatively low in sophistication. However, the group was persistent and targeted several services across the internet, including email providers, file-hosting services and social media.

    “This threat actor is a good example of a global trend we’ve seen where low-sophistication groups choose to rely on openly available malicious tools, rather than invest in developing or buying sophisticated offensive capabilities,” Meta wrote.

    “As such, APT36 is known for using a range of different malware families, and we found that in this recent operation it had also trojanized (non-official) versions of WhatsApp, WeChat and YouTube with another commodity malware family known as Mobzsar or CapraSpy.”

    According to Meta, these low-cost tools require less technical expertise to deploy, yet yield results for the attackers nonetheless.

    “It democratizes access to hacking and surveillance capabilities as the barrier to entry becomes lower. It also allows these groups to hide in the ‘noise’ and gain plausible deniability when being scrutinized by security researchers.”