Meta (formerly Facebook) has cracked down on a cyber espionage operation linked to state-sponsored bad actors in Pakistan that targeted people in India, including military personnel and government officials, with various methods like honey trapping and infiltrating their devices with malware.
Apart from India, the group of hackers in Pakistan — known in the security industry as APT36 — targeted people in Afghanistan, Pakistan, the UAE and Saudi Arabia, according to Meta’s quarterly ‘Adversarial Threat Report’.
“Our investigation connected this activity to state-linked actors in Pakistan,” Meta said.
The group’s activity was persistent and targeted many services across the Internet — from email providers to file-hosting services to social media.
“APT36 used various malicious tactics to target people online with social engineering to infect their devices with malware. They used a mix of malicious and camouflaged links, and fake apps to distribute their malware targeting Android and Windows-run devices,” the social network warned.
APT36 used fictitious personas — posing as recruiters for both legitimate and fake companies, military personnel or attractive young women looking to make a romantic connection — in an attempt to build trust with the people they targeted.
The group deployed a wide range of tactics, including the use of custom infrastructure, to deliver their malware.
“Some of these domains masqueraded as photo-sharing websites or generic app stores, while others spoofed the domains of real companies like the Google Play Store, Microsoft’s OneDrive, and Google Drive,” said the Meta report.
Additionally, this group used common file-sharing services like WeTransfer to host malware for short periods of time.
The Pakistan-based actors also used link-shortening services to disguise malicious URLs.
They used social cards and preview sites — online tools used in marketing to customise what image is displayed when a particular URL is shared on social media — to mask redirection and ownership of domains APT36 controlled.
“APT36 didn’t directly share malware on our platforms, but rather used the tactics to share malicious links to sites they controlled and where they hosted malware,” said Meta.
In several cases, this group used a modified version of commodity Android malware known as ‘XploitSPY’ available on Github.
While ‘XploitSPY’ appears to have been originally developed by a group of self-reported ethical hackers in India, APT36 made modifications to it to produce a new malware variantAcalled ‘LazaSpy’.
Meta found that in this recent operation, APT36 had also trojanised (non-official) versions of WhatsApp, WeChat and YouTube with another commodity malware family known as Mobzsar or CapraSpy.
“Both malware families are capable of accessing call logs, contacts, files, text messages, geolocation, device information, photos and enabling microphone,” said the report.
Meta also removed a brigading network in India, a mass reporting network in Indonesia and coordinated violating networks in Greece, India, and South Africa.
Brigading is a technique where groups of people coordinate to harass people on Meta platforms in an attempt to intimidate and silence them.