Meta Unravels Social Media Cyber Espionage Operations In South Asia

By   Adeola Adegunwa
Writer , Informationsecuritybuzz | May 04, 2023 04:02 am PST

Hundreds of well-developed fake profiles on Facebook and Instagram were used by three separate threat actors to launch separate assaults on users in Southern Asia. To spread their malware and steal sensitive information, each of these APTs leaned significantly on social engineering, according to Guy Rosen, Meta’s chief information security officer.

They were able to reduce spending on malware development because of this group’s “investment in social engineering.” The fictitious users pretended to be recruiters, journalists, or members of the military, in addition to the more common guises such as lonely women looking for love.

At least two of the cyber espionage campaigns involved the deployment of less-capable, low-sophistication malware, most likely in an effort to evade the app verification checks set up by Apple and Google.

Meta discovered an advanced persistent threat (APT) group based in Pakistan that used a web of phony accounts, apps, and websites to spread GravityRAT among members of the Indian and Pakistani armed forces by posing as legitimate cloud storage and entertainment apps.

An advanced persistent threat (APT) named Bahamut used Android malware distributed through the Google Play Store to specifically target users in India and Pakistan, prompting the company to delete 110 related social media accounts. The apps, which pretended to be encrypted messaging or VPN services, have been taken down.

Last but not least, it deleted 50 profiles on social media sites like Facebook and Instagram that were linked to a threat actor in India, codenamed Patchwork. This group used malicious apps uploaded to the Play Store to steal information from users in Pakistan, India, Bangladesh, Sri Lanka, Tibet, and China.

Meta has also disrupted six adversarial networks based in the United States, Venezuela, Iran, China, Georgia, Burkina Faso, and Togo that were involved in “coordinated inauthentic behavior” across multiple social media platforms, including Facebook, Twitter, Telegram, YouTube, Medium, TikTok, Blogspot, Reddit, and WordPress.

Three of these internationally dispersed networks have been linked to institutions in the United States and Africa: Predictvia, a marketing firm based in the United States; the Groupe Panafricain pour le Commerce et l’Investissement (GPCI), a political marketing consultancy based in Togo; and the Strategic Communications Department of Georgia.

Users in India, Tibet, Taiwan, Japan, and the Uyghur community were among those targeted by two Chinese networks that ran dozens of fake profiles, pages, and groups across Facebook and Instagram.

Meta claimed that it removed the content in both cases before the activities could “build an audience” on its services and that it had discovered links between members of one network and employees of a Chinese IT company called Xi’an Tianwendian Network Technology.

The Iranian network reportedly targeted Israel, Bahrain, and France with particular ferocity, supporting Microsoft’s conclusion that Iran was responsible for the January 2023 breach of Charlie Hebdo, a French satirical magazine.

In addition to managing Pages and Groups pretending to be hacktivist teams, “the people behind this network used fake accounts to post, like, and share their own content,” Meta stated. “They also liked and shared other people’s posts about cyber security topics,” the report says, “likely to make fake accounts look more credible.”

Also released at the same time is research from Microsoft that shows how Iranian state-aligned actors have been more reliant on cyber-enabled influence operations to “boost, exaggerate, or compensate for shortcoming in their network access or cyberattack capabilities” since June 2022.

Increasing from seven in 2021, Redmond has linked the Iranian government to twenty-four such operations in 2022, including the clusters Moses Staff, Homeland Justice, Abraham’s Ax, Holy Souls, and DarkBit. Since June 2022, seventeen of these procedures have been completed.

The Windows manufacturer also reported seeing “multiple Iranian actors attempting to use bulk SMS messaging in three cases in the second half of 2022, likely to enhance the amplification and psychological effects of their cyber-influence operations.”

The quick exploitation of known security holes, the use of target websites for command and control, and the development of customized implants to evade detection and steal information from victims are other defining characteristics of the new strategy.

The activities, which have targeted Israel and the United States in punishment for purportedly fomenting discontent in the nation, have aimed to support the Palestinian resistance, spark upheaval in Bahrain, and prevent the restoration of relations between the Arab world and Israel.


On Wednesday, Meta revealed that hackers with ties to the Pakistani government had been spying on members of the Indian and Pakistani armed forces by infecting their personal devices with malware hidden in malicious apps and websites. This attack is one of three operations in South Asia reported in Meta’s quarterly adversarial threat report. The other two operations appear to focus on intelligence gathering and are associated with (Bahamut and Patchwork) APT organizations. The organization did not designate the Pakistani collective by name.

Each of the three campaigns “relied heavily on social engineering,” with hackers constructing “elaborate fictitious personas with backstops across the internet” to deceive their intended victims, as well as any platforms or researchers looking into the matter. Meta claimed that some of the accounts were disguised to be recruiters, journalists, or military personnel, while the Pakistan-based gang utilized more typical lures, such as women looking for love connections. According to the analysis, the Pakistani hacking gang is able to save money by not building sophisticated malware because of its emphasis on socially engineering individuals into clicking on harmful links or sharing vital information with a phony persona.

The authors draw the conclusion that low-cost, low-sophistication malware combined with social engineering can be highly effective in targeting people. Even while not all of the hackers’ homemade desktop apps were harmful in and of themselves, some of them were utilized to deliver malware to their intended victims. According to Meta, the hacker gang has been active since 2015 and is well-known in the sector for its usage of the GravityRAT spyware, as detailed by Cisco and Kaspersky.

Notify of
0 Expert Comments
Inline Feedbacks
View all comments

Recent Posts

Would love your thoughts, please comment.x