Meta Security. PHOTO: Cybercrime Magazine.

Meta Wipes Out Cyberspies, Russian Bot Farm From Facebook platform

Q1 2022 is full of digital spying, propaganda, and cyberattacks against critical infrastructure

Charlie Osborne

London – Apr. 12, 2022

Facebook parent company Meta says it has stopped numerous threat groups and a Russian bot farm from operating on its platforms.

On April 7, the tech giant published its Q1 2022 Adversarial Threat Report, which provides a deep dive into fraudsters and cybercriminals using social networks to their advantage.

According to Ben Nimmo, Meta Global Threat Intelligence Lead for Influence Operations, and David Agranovich, Director of Threat Disruption, Meta has observed “multiple policy violations in Iran, Azerbaijan, Ukraine, Russia, South America, and the Philippines” this year.

As we saw during Russia’s interference with the U.S. 2016 election, social networks are powerful tools for conducting Coordinated Inauthentic Behavior (CIB), spreading misinformation, and swaying public opinion. In turn, they can become political weapons for state interests.

Meta has tackled two separate cyberespionage campaigns in Iran. The first is linked to UNC788, previously associated with domestic spying operations through mobile malware.

The latest UNC788 campaign targeted individuals across the Middle East, including those involved in the Saudi military and human rights activists. In addition, the threat actors targeted U.S. politicians, academics, and journalists.

UNC788 uses phishing emails and websites and fake social media accounts to entice victims into clicking malicious links or downloading malware. For example, the group copied the code of an Android calendar app and added malware to extract contact information.

A Remote Access Trojan (RAT), dubbed HilalRAT, was also found in a messaging app promoted by the group.

“Their malicious activity had the hallmarks of a well-resourced and persistent operation while obfuscating who’s behind it,” Meta says. “We’ve been tracking and blocking this group’s efforts for a number of years, similar to our peers at other platforms.”

Meta documented a second cyberespionage campaign in the report. The group, which Meta says was previously unreported, has targeted industries including energy, telecoms, logistics, and IT.

Energy companies in Saudi, Canada, Italy, and Russia appear to be in the firing line. However, the group has a vast target list.

Meta says that while the group’s attack procedures are similar to Tortoiseshell, linked to past attacks against IT companies in Saudi, the hackers are using different, custom malware and a separate underlying infrastructure.

Azerbaijan has also featured heavily in Meta’s Q1 report. A “hybrid” network spanning social networks, news websites, YouTube, and chat platforms was disrupted.

According to the company, Azerbaijan’s Ministry of Internal Affairs is backing the CIB activities, which “primarily targeted people from Azerbaijan, including democracy activists, opposition, journalists, and government critics abroad.” The group focuses on domestic spying, obtaining personal data, and posting “critical or compromising commentary” impacting the reputation of individuals opposed to the ruling party.

“It is another example of a hybrid espionage and CIB campaign, similar to the unconnected and separate activity by Ghostwriter, a threat actor that most recently targeted Ukraine,” Meta notes.

The Russia-Ukraine conflict has spilled out onto the digital world in what is debatably the first “viral” war we’ve experienced.

Ukraine was subject to severe cyberattacks before Russia’s invasion and has subsequently asked for volunteers to form an “IT Army” tasked with offensive and defensive tasks to protect the country.

Meta says that digital assaults against Ukraine continue. State-sponsored groups from Russia and Belarus have targeted Ukraine’s telecom, energy, defense, and technology firms. In addition, journalists and activists in the country, Russia, and abroad are being attacked.

A Russian bot farm has also been wiped out after frequently “reporting people in Ukraine and in Russia for fictitious policy violations of Facebook policies in an attempt to silence them.”

The fake reports are often related to “hate speech.”

The Ghostwriter group, suspected of Russian and Belarusian ties, has also ramped up its activity. Recently, the cyberattackers have been trying to break into Facebook accounts belonging to “dozens” of Ukrainian military personnel to post videos calling on Ukraine to surrender.

While propaganda and fake commentary are rampant, threat actors are also trying to monetize the war. Meta said:

“Since the war began, we’ve investigated and removed tens of thousands of accounts, Pages, and Groups using both automated and manual systems. We’ve seen spammers from around the world use inauthentic behavior tactics including streaming live-gaming videos and reposting popular content including other people’s videos from Ukraine as a way to pose as sharing live updates. 

Some of the spammers switched names repeatedly to trick people into following them so they can try making money by either driving people to off-platform ad-filled websites or selling them merchandise.”

Charlie Osborne is a journalist covering security for ZDNet. Her work also appears on TechRepublic, Cybercrime Magazine, and other media outlets. 

Go here to read all of Charlie’s Cybercrime Magazine articles.