The social media giant marks its fifth anniversary of sharing insights into threat actors operating on Facebook and Instagram with its latest quarterly report. And what a report it is – Pakistani spies, Hindu hardliners, and Russian partisans are just some of the diverse entities who have been active on its platforms.
Topping Meta’s list of internet ne’er-do-wells were two cyber-espionage groups – APT36, identified as probably originating in Pakistan, and Bitter, also from the South Asian region.
Both groups targeted people in Pakistan, with social media users in the UK, Saudi Arabia, India, and New Zealand also singled out by social engineering campaigns, Android-based malware, and fake websites.
“As part of these latest disruptions against both networks, we took down accounts, blocked their domain infrastructure from being shared on our services, and notified people who we believe were targeted by these malicious groups.” Meta disclosed in its report. “We also shared information with security researchers and our industry peers so they too can take action to stop this activity.”
APT36 posed as recruiters, attractive young women, and military personnel in a bid to gain the trust of targets. Bitter also found faking female sex appeal to be a useful tool until Meta clamped down on its illicit activities, which also included mimicking journalists and activists.
Between them, the groups used a variety of techniques, tactics, and procedures (TTPs), including disguised links, fake apps, malicious domains, compromised websites, and third-party hosting providers to distribute malware. However, Meta said both operations were relatively low-grade in sophistication, relying instead on sheer persistence to compromise targets.
Malware was not shared directly on Facebook by APT36, but links to sites that hosted it were, while Bitter used a custom program named Dracarys tailored to Android users that it inserted into accessibility functions originally designed to aid people living with disabilities.
“Bitter injected Dracarys into trojanized versions of YouTube, Signal, Telegram, WhatsApp, and custom chat applications capable of accessing call logs, contacts, files, text messages, geolocation, device information, taking photos, enabling microphone, and installing apps,” said Meta, adding that the malware has yet to be identified by any anti-virus programs that it is aware of.
A multitude of sins
Meta’s banning of the two groups is just the tip of the iceberg in its ongoing struggle to weed out bad actors on its hugely popular social media platforms, which continue to be fertile grounds for all kinds of interest groups, many of them political in nature.
As such, Russia featured quite prominently, using Instagram and other platforms as a launchpad for various disinformation campaigns promoting the Kremlin’s “denazification” pretext for the invasion of Ukraine. However, Meta also shared some evidence to suggest that Ukrainian activists have been fighting back, subverting or contradicting Russian information operations where they could.
A threat group identified by Meta as Cyber Front Z was banned from Facebook and Instagram for such activities, which it said involved a troll farm based in St Petersburg using social media to promote narratives favorable to the Russian invasion.
Nicknamed the “beanbag trolls” after comfortable seating arrangements provided by the Kremlin to its small army of cyber partisans – a hundreds-strong group that Meta says was infiltrated by undercover journalists in March – Cyber Front Z was booted off Facebook after it was found to be running 45 accounts and an advertising campaign on the platform to push its propaganda.
Targets of the beanbag trolls included Finnish prime minister Sanna Marin during her visit to Ukraine in May, when she was defamed in a Telegram post that linked to Instagram, which Meta acquired the month before.
“We must explain to the Finnish politician that Ukraine will be liberated from Nazism by the Russian army, so petitions from [Volodymir] Zelensky from the cocaine acceptance center are not her level,” reads an English translation of the original post. “Let’s fly here and massively urge not to support the Ukronazis. Stop support ukrainian nazi [sic], Sanna! Russia will free Ukraine from the criminal regime!”
Commenting on the findings, Meta said: “While the original story did not mention our apps, we were able to uncover a network of related accounts on Instagram. It appears that the organizers used the people they hired as simply a typing pool to flood pro-Ukrainian posts with comments on one topic only – Russia’s war – using very basic, fake accounts that kept getting caught.”
As with the South Asian espionage groups it intercepted, Meta said the Cyber Z campaign was “low in sophistication” and had been largely detected and disabled by its automated systems “even before we found their link to this activity.”
While core TTPs employed by the Z Team involved using fake social media accounts operated by paid posters, there was some evidence that these themselves had been compromised, with pro-Ukrainian messages copied and pasted onto Russian propagandist threads.
“In isolated cases, the fake accounts appear to have assumed a split personality when posting in English versus Russian,” Meta explained. “The same account would reply to some posts with its usual pro-Russia comments, and to other posts they’d respond with pro-Ukraine comments. In some cases, they appeared to have copied and pasted pro-Ukraine comments from the very groups the Z Team explicitly opposed. This might be a case of individual operators undermining this fictitious movement from within.”
At other times, the Z Team appeared to bungle its efforts, for instance, urging sympathizers on Telegram to visit what it thought was the official Instagram page of hawkish UK foreign secretary Liz Truss – only to direct them to a fan site numbering some 30 followers that had not been active since 2018.
“We saw more failed attempts to drum up a conversation on other platforms, including Twitter and YouTube,” said Meta, citing one example in May, when the Z Team steered people toward Twitter accounts belonging to the President of Poland, the International Ice Hockey Federation (IIHF), and the French Tennis Federation. “None of these showed a high volume of pro-Russia comments, while some people called them out as Russian trolls,” it said.
Other alleged wrongdoers who found themselves exiled from Meta’s social media empire included what it believes to be Hindu hardliners, who set up bully “brigades” to harass local dissidents for posting content these actors deemed “offensive” to the ancient Indian religion.
“We took down a brigading network of about 300 accounts on Facebook and Instagram in India that worked together to mass-harass people, including activists, comedians, actors and other influencers,” said Meta. “This network was active across the internet, including Facebook, Instagram, YouTube, Twitter, and Telegram.”
Meta said the bad actors behind the campaign used its apps to present “a combination of authentic and duplicate accounts, many of which were disabled for violating our rules against hate speech and harassment by our scaled, automated systems.”
It added that the haters themselves played the hate-speech card in efforts to whip up anger and manipulate other social media users into joining their campaign of intimidation. “These accounts would call on others to harass people who posted content that this group deemed offensive to Hindus,” said Meta. “The members of this network would then post high volumes of negative comments under the targets’ posts. In response, some people would hide or delete their posts, leading to celebratory comments claiming a ‘successful raid.’”
Meta added that it considers brigading to be online activity on its platforms that includes “repetitive targeting to harass or silence people,” evidence of “coordination” through social media signaling, a “high volume of activity,” and “efforts to evade enforcement.”
Meta’s ongoing fight
Other bad actors expelled from Meta’s virtual domains included apparent extremists in Israel who targeted people in Palestinian territories as well as Angola and Nigeria, pro-police partisans in Malaysia opposed to political opposition to the government there, and fake pundits in the Philippines who used local elections as a lure to target victims with spam.
Meta said it had begun public disclosures about threat actors on its platforms in response to perceived Russian misinformation or what it calls “influence operations,” and that it expected its reporting focus to change as global threats and trends continue to shift.
“We expect the make-up of this report to continue to evolve in response to the changes we see in the threat environment and as we expand to cover new areas of our trust and safety work,” it said. “This report is not meant to reflect the entirety of our security enforcements, but to share notable trends and investigations to help inform our community’s understanding of the evolving security threats we see.”
It also urged cybersecurity professionals to come forward with any information that might be useful in contributing to future quarterly reports.
“We welcome ideas from our peers across the defender community to help make these reports more informative, and we’ll adjust as we learn from feedback,” it said.
More from Cybernews:
Subscribe to our newsletter