Facebook Takedown Infrastructure of Hacker Groups Targeting Various Government Entities

Bangladesh and Vietnam based hackers were caught by Facebook recently for hacking into its users’ accounts and taking control of the pages. APT32, a Vietnamese group, and an unnamed Bangladeshi group were the groups that had gained unauthorized access to people’s accounts across the social media platform.

The operation from Bangladesh primarily focused on compromising the integrity of accounts across the social media platform and had targeted local activists, journalists, and religious minorities, including those living abroad, whereas the agenda of the Vietnamese group was to spread malware to its targets.

The social media giant’s investigation had traced this activity back to two non-profit organizations in Bangladesh, namely Don’s Team a.k.a Defense Of Nation and CRAF (Crime Research and Analysis Foundation).

The two teams had falsely reported people on the platform for inappropriate content including impersonation, IP infringements, nudity, and terrorism, read the announcement issued by Nathaniel Gleicher, Facebook’s Head of Security Policy, and Mike Dvilyanski, Cyber Threat Intelligence Manager.

The compromised accounts were used for the organisations’ own operational activity including propagating their content. There was atleast one instance where the page’s admin account was compromised and the page was deleted.

To put a stop to this malicious activity, Facebook removed the accounts behind this operation.

APT32 Group

APT32 an advanced persistent threat actor targeted Vietnamese human rights activists locally and those living abroad, various foreign governments including Laos and Cambodia, NGOs, news agencies and a number of other businesses. Facebook’s most recent investigation revealed a host of tactics and techniques including:

• Social engineering: APT32 created fictitious personas across the internet posing as activists and business entities, or used romantic lures when contacting people they targeted. These efforts often involved creating backstops for these fake personas and fake organizations on other internet services so they appear more legitimate and can withstand scrutiny, including by security researchers. Some of their Pages were designed to lure particular followers for later phishing and malware targeting.
• Malicious Play Store apps: In addition to using Pages, APT32 lured targets to download Android applications through Google Play Store that had a wide range of permissions to allow broad surveillance of peoples’ devices.
• Malware propagation: APT32 compromised websites and created their own to include obfuscated malicious javascript as part of their watering hole attack to track targets’ browser information. A watering hole attack is when hackers infect websites frequently visited by intended targets to compromise their devices. As part of this, the group built custom malware capable of detecting the type of operating system a target uses (Windows or Mac) before sending a tailored payload that executes the malicious code. Consistent with this group’s past activity, APT32 also used links to file-sharing services where they hosted malicious files for targets to click and download. Most recently, they used shortened links to deliver malware. Finally, the group relied on Dynamic-Link Library (DLL) side-loading attacks in Microsoft Windows applications. They developed malicious files in exe, rar, rtf and iso formats, and delivered benign Word documents containing malicious links in text.

Facebook has advised all to remain vigilant and take appropriate measures to protect their accounts, including avoid clicking on suspicious links and visiting suspicious websites, and downloading software from untrusted sources.

You can follow us on Linkedin, Twitter, Facebook for daily Cybersecurity, and hacking news updates.

Also Read

The Importance of Cybersecurity in The Post-COVID-19 World

Hackers Using COVID-19 Training Lure to Attack Office 365 Users