A Pakistani hacking group has targeted Facebook users connected to the previous Afghan government, military, and law enforcement agencies in Kabul with attacks focused on cyberespionage, the social media company recently said.
The hacking group, known as SideCopy, ramped up a “well-resourced and persistent” cyberespionage operation targeting members of the former Afghan government between April and August, Facebook said in a blog post. The group’s attacks included links to malicious websites hosting malware, said Facebook, which recently changed its name to Meta.
SideCopy, also accused of targeting military officials in India in the past, used several methods to trick targeted Facebook users into downloading malware. It created fictitious Facebook users — typically young women — and used them as potential romantic partners to trick users into clicking on phishing links or downloading malicious chat applications.
In addition, the hacking group operated fake app stores and compromised legitimate websites to host malicious phishing pages to manipulate people into giving up their Facebook credentials.
SideCopy also attempted to trick people into installing chat apps loaded with malware, some of them posing as legitimate chat apps. In some cases, these malware-loaded apps worked as chat applications.
Apparently, posting as young women looking for someone to chat with is still an effective hacking technique, some cybersecurity experts said.
“Although Facebook is very good at identifying the common hallmarks of a fake profile, there is a sort of arms race going on between Facebook and well-funded adversarial groups who have the time and experience to craft plausible people,” said Sam Dawson, a cybersecurity researcher at ProPrivacy, a cybersecurity advice website.
In many cases, Facebook appears to be catching these bots after hackers already put them into operation, he told the Washington Examiner. “Given the highly targeted nature of previous SideCopy malware campaigns … the use of highly attractive women and dating apps as honeypots can only be taken as a deliberate attempt at compromising officials at moments when their guard is lowered,” he said.
The hacking group distributed two types of malware. PJobRAT is spyware disguised as a dating app or an instant messaging app and collects information such as contacts, SMS texts, and GPS data. A second malware strain, dubbed Mayhem, also retrieves victims’ contact lists, text messages, call logs, location information, media files, and general device metadata.
Facebook said it removed the hacking group from its services and rolled out several security measures to protect its users in Afghanistan, including a one-click tool allowing users to lock their accounts. “Given the ongoing crisis and the government collapse at the time, we moved quickly to complete the investigation and take action to protect people on our platform, share our findings with industry peers, law enforcement, and researchers, and alert those who we believe were targeted,” the company said in its blog post.
Some cybersecurity experts suggested that SideCopy’s ultimate goal is to advance Pakistan’s interests by targeting nearby rival governments or assisting the Taliban in Afghanistan.
“Given that Pakistan has a long history of support for the Taliban … it would seem prudent to assume this is the work of a Pakistani faction that is interested in fortifying the Taliban’s presence in Afghanistan by supplying them with the personal details of members of the former government,” said ProPrivacy’s Dawson.
SideCopy seems to have a particular interest in exploiting enemies of Pakistan, added Stephen Curry, CEO at CocoSign, a secure electronic signature vendor. “With the previous records of this hacking group, SideCopy is keeping the tabs on their nation’s nemesis,” he told the Washington Examiner.
In the same blog post detailing its efforts against SideCopy, Facebook also described its work against three hacker groups with links to the government in Syria.
