This May, Meta released its first quarter Adversarial Threat Report sharing insights into malware threats, coordinated inauthentic behavior known as CIB, cyber espionage, and more. In the report, it further explained that beyond sharing its analysis and research, it is also publishing threat indicators to help the cybersecurity community in detecting and countering malicious activity in other places on the internet.
Highlighted in the report was Meta’s takedown of six networks for coordinated inauthentic behavior (CIB) and three cyber espionage operations. Here we’re sharing some of the findings.
South Asia Cyber Espionage
Meta acted against three cyber espionage operations in South Asia. They found that one had connections to a group of hackers known as Bahamut APT, another to Patchwork APT, and one was connected to state-linked threat actors in Pakistan.
The tactics showcased by these threat groups included:
- Diverse social engineering tactics
These APTs depended on social engineering, creating fake accounts that were diverse and elaborate fictitious personas. These personas helped them to withstand scrutiny from their targeted platforms and security researchers. - Continued reliance on low-sophistication malware
When used with social engineering, low-sophisticated malware was effective and reduced malicious capabilities in these applications. - Impact of public disruptions and threat reporting
The APTs were forced to invest more to hide their operations due to security community disruptions which lowered their effectiveness.
Meta removed a total of 478 fake Facebook accounts that included:
- Pakistan APT – 120
- Bahamut APT – 110
- Iran – 40
- China – 50
- Togo & Burkina Faso – 134
Venezuela – 24
Additionally, they removed Facebook pages, groups, and related Instagram accounts.
Covert Influence Operations Take Down
Meta took down six separate covert influence operations that had origins in Venezuela, the US, Iran, Burkina Faso, Georgia, China, and Togo for violations against Meta’s CIB policy.
Meta sees CIB as a coordinated effort to manipulate public opinion with a set goal where fake accounts play a pivotal role. Its investigations into the activity revealed:
- Fake entities creation
Fictitious entities were created in nearly all operations. These included: news media organizations, NGOs, and hacktivist groups that helped build credibility. The operations used many social platforms such as Twitter, Facebook, Telegram, YouTube, TikTok, Medium, Reddit, Blogspot, WordPress, Freelancer[.]com, their own websites, and hacking forums. - Iranian fake hacktivists
The Iran operation said they hacked organizations located in Bahrain, Israel, and France that included government entities. The media outlets in some of these countries reported on the claims, but it’s not been confirmed if they are genuine. - Operations for-hire
Meta said there is an increase of operation for-hire groups behind many of the covert influence operations. Of the operations identified, half were related to private companies that, included a US marketing firm, a China-based technology business, and a Central African Republic political marketing consultancy. - China-based operations evolution
A shift in China-origin CIB activity indicated by the latest takedowns inclusive of unique geo targets, new threat actors, and adversarial tactics.
The latest networks were seen experimenting with a range of tactics not previously observed in China-based operations, while they have been seen in other places. Current behaviors included hiring freelance writers around the world, creating a media company front, co-oping an NGO in Africa, and offering to recruit protesters.
Adversarial threats will continue to evolve in response to methods used to take them down, and we will discover new, increasingly malicious behaviors. Fighting threat actors and APT groups is an ongoing effort that we must remain aligned with and improve our methods to stay ahead of them.
Organizations should monitor and block Facebook usage on corporate endpoints where users have no business purpose for accessing it.
