Meta, the parent company of Facebook, Instagram, and WhatsApp, is fighting back against two cyber-espionage operations, one of them targeting military and government officials in the Middle East.
In recent months, Meta took down accounts, blocked the groups’ domain infrastructure from being shared on its services, and notified people it believes were targeted by the espionage operations, the company said in its recent quarterly threat report. Meta also shared information about the groups with security researchers and other internet companies, the company said.
The two groups are both operating out of South Asia, Meta said. One is called Bitter APT, which targets people in India, New Zealand, Pakistan, and the United Kingdom.
The second is APT36, which some security researchers connect to the government of Pakistan. This espionage group targeted people in Afghanistan, India, Pakistan, Saudi Arabia, and the United Arab Emirates, including military and government officials, employees of human rights and other nonprofit organizations, and students.
While both groups’ methods were “relatively low in sophistication,” they were persistent, Meta security researchers wrote. Both used social engineering techniques to convince people to install malware on their computers or smartphones.
APT36 used nonofficial versions of WhatsApp, WeChat, and YouTube to deliver malware that can access call logs, contacts, files, text messages, geolocation, device information, and photos and enable the device’s microphone, Meta said.
The group also used fake websites and spoofed the domains of the Google Play Store, Microsoft’s OneDrive, and Google Drive as a way to deliver malware.
Both groups have been operating since about 2013, noted Mark Vaitzman, threat lab team leader at Deep Instinct, a cybersecurity provider. APT36 has in the past targeted the Indian military, Pakistan activists, and the Indian medical industry, he told the Washington Examiner.
Meanwhile, in July, Bitter APT targeted military facilities in Bangladesh with sustained cyberattacks. It also has targeted China, Pakistan, and Saudi Arabia, Vaitzman said.
Several cybersecurity experts applauded Meta’s actions, saying the two groups present a significant threat to targeted people.
“The campaigns of the two groups, though not very sophisticated, are massive in scale and impact,” said Deepanjli Paulraj, cybersecurity information and analytics lead at CloudSEK, a contextual AI company focused on predicting cyber threats. “The groups don’t create fake social media accounts and immediately target their victims; that would be suspicious and easy to flag. Instead, they play the long con.”
These groups create fake personas and impersonate famous people or attractive women, Paulraj told the Washington Examiner.
“This tactic allows victims to let their guards down and open [or] click on anything the threat actors share via social media or email,” Paulraj added. “Long-term social engineering ensures that their success rate is high, and hence more dangerous than phishing emails from unknown sources.”
These espionage campaigns can be used to collect sensitive information on targeted nations, which then can be “weaponized” and used to launch attacks on critical infrastructure or steal intellectual property, she added.
Even though the two groups are often targeting individuals with social engineering campaigns, the data breaches can be “very severe,” added Syed Kaptan, director of North America threat intelligence engineering at ThreatQuotient, a cyber threat detection and response provider.
“There is no limit to the extent of information that can be extracted from both public and private sector employees using social engineering techniques,” he told the Washington Examiner. With many people bringing their own devices to workplace networks, “the severity of exfiltrating data such as a text message or an email that contains an authorization code to log into an enterprise or government system can lead to a huge security breach.”
Kaptan praised Meta’s response to the espionage campaigns. “Containing the breach to avoid further harm, making your users aware, and arming your peers and researchers with the information are the correct steps to take,” he said.
