Meta Expunges Multiple APT, Cybercrime Groups From Facebook, Instagram

The company has removed three APTs and six potentially criminal networks from its platforms who leveraged elaborate campaigns of fake personas and profiles to lure and compromise users.

Image shows an open-mouthed emoji superimposed on lines of code with the Facebook logo underneath it
Source: Danie Chetroni via Alamy Stock Photo

Facebook parent Meta said it thwarted the activity of three advanced persistent threat groups (APTs) in South Asia engaged in cyber espionage as well as six adversarial groups from various global regions engaged in what it deems "inauthentic behavior" on Facebook and other social networks.

The company's takedown of these and other activities on its platforms is indicative of a sea of consistent and globally dispersed exploitative behavior from threat actors to leverage various online platforms to create elaborate social-engineering campaigns to lure and exploit Internet users, the company said.

In most of the cases, threat actors are using Facebook and other social networking and media platforms —including Twitter, Telegram, YouTube, Medium, TikTok, and Blogspot — to create various fake online accounts and personas, according to Meta. The attackers used fake identities, including job recruiters, journalists, or even military personnel, to earn credibility with users and legitimate entities so they could engage in malicious threat activity, the company said.

In its Quarterly Adversarial Threat Report released today, Meta detailed these incidents as well as actions it's now taking to minimize security threats that leverage its platforms.

The report draws from Meta's security monitoring of the use of its platforms, as well as monitoring of the Internet overall in order to flag malicious activity, which is increasingly becoming more dispersed across various platforms and geographies and thus harder to track, Nathaniel Gleicher, head of security policy at Meta, told journalists in a briefing on the report May 2.

"These threats are extremely persistent, and that they're not going anywhere because the threat actors behind them are financially motivated," he said. "That's why we see … adversarial adaptation … including malware operators, spreading themselves across many places at once. So each phase of the campaign relies on a different service to survive."

As part of its work to combat this activity, Meta also plans to empower businesses as well with a new tool it will release later this year to help them identify malicious activity as well as malware being used by the threat groups on their own platforms.

"One of the key pieces to this work is learning from that innovation and improving our security products with each new disruption," Gleicher said. "This helps us build new protections and detection methods, not just against that particular threat actor, but against every other threat actor that's looking to use the same technique."

The persistence of attackers inspired this wider approach to security from Meta, he said. Indeed the company has been criticized and even fined in the past for the widespread threats to both the security and privacy that have propagated across its social media platforms, and has made significant efforts in the past several years to step up its security game.

However, now it's becoming increasingly clear that to prevent this activity and cyberattacks that stem from it, it's not merely enough for Meta and other Internet companies to monitor their own respective platforms and inform users and businesses of malicious activity, Gleicher said.

"We're offering the sort of broader whole-of-society response because compromise often occurs outside of our apps and services," he said.

Stopping South-Asia APTs

As part of its security response, Meta took down various accounts to disrupt three networks associated with South Asian APTs targeting various users in the region, the company said.

Specifically, the company took action against about 120 accounts on Facebook and Instagram linked to a low-sophistication hacking group connected to state-linked actors in Pakistan. The group predominantly targets people in India and Pakistan, including military personnel in India and individuals in the Pakistan Air Force.

The group relied heavily on a Web of attacker-controlled websites to distribute malware through highly targeted campaigns aimed to trick targets into clicking on malicious links and downloading Android or Windows malware, according to Meta.

Among its tactics were to use fictitious personas such as recruiters for fake defense companies and governments; journalists, military personnel, and women looking for romantic connection to build trust with users. They also used fake apps and websites delivering malware, the company said.

Meta also removed about 110 accounts on Facebook and Instagram linked to an APT identified as Bahamut that was targeting people in Pakistan, India, including the Kashmir region. Targets included military personnel, government employees, activists, and others.

Bahamut ran various campaigns across the Internet, including link-shortening services, compromised or attacker-controlled websites, official and spoofed app stores, and third-party hosting providers. Like the Pakistani APT, they maintained a range of fictitious personas, with the goal of tricking people in South Asia into providing information or compromising mobile devices, primarily by using Android malware, according to the report.

Meta also targeted another India-based threat group, Patchwork APT, by taking down about 50 accounts on Facebook and Instagram linked to its activity. The group targeted people in Pakistan, India, Bangladesh, Sri Lanka, the Tibet region, and China, including military personnel, activists, and minority groups, the company said.

Like the other APTs, Patchwork also creates and maintains a series of fictitious personas and accounts online, some of which posed as UK- or UAE-based journalists working for both legitimate and fake media outlets, military personnel, or defense intelligence consultants, the company said.

Patchwork also distributed malicious apps on the Google Play Store — which Meta reported and had removed by Google — as well as created socially-engineered campaigns aimed at luring people to click on malicious links and download malicious apps. The group also demonstrated a significant persistence by changing tactics in response to defensive activity of Meta's security teams, the company said.

"This adversarial adaptation has likely increased overhead and reduced the effectiveness of Patchwork's operations," according to the report.

Identities As Cyber Threats

Meta also has reacted to a series of geographically dispersed activity on its platforms that it calls coordinated inauthentic behavior (CIB), defined as  "coordinated efforts to manipulate public debate for a strategic goal, in which fake accounts are central to the operation," the company said.

"In each case, people coordinate with one another and use fake accounts to mislead others about who they are and what they are doing," according to the report.

The company removed hundreds of Facebook accounts, various Pages and Groups, as well as Instagram accounts — depending on the region — for networks of CIBs that originated and operated in the following countries: Iran; Venezuela and the US; Togo and Burkina Faso; Georgia; and China, where two separate networks were disrupted, according to the report.

While the tactics for each group varied, there were trends in their activity, with nearly all of the networks investing in the creation of fake accounts and fictitious entities across the Internet, including news media organizations, hacktivist groups, and NGOs, Meta's Nimmo said.

Moreover, the bulk of the networks that Facebook removed could be legitimate commercial entities, including an IT company in China, a marketing firm in the United States, and a political marketing consultancy in Africa, the company said.

Meta included in its report a broad range of indicators of compromise to help organizations identify malicious activity stemming from these campaigns across their networks. It also will continue to share threat research with peers and security researchers to help companies combat malicious activity aimed at compromising their networks and business activities, the company said.

About the Author(s)

Elizabeth Montalbano, Contributing Writer

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights