Meta’s Quarterly Adversarial Threat Report Highlights How Cyberthreat Actors Snooping on Indians
Meta has released its ‘Quarterly Adversarial Threat Report’ in which the company highlighted two cyber espionage operations, conducted by threat actors Bitter APT and APT36, targeting people from India as well as other countries.
As per Meta, the report provides a comprehensive perspective of the threats that the company has detected across many policy infractions, such as Coordinated Inauthentic Behavior (CIB), cyber espionage and inauthentic behaviour.
“We took action against two cyber espionage operations in South Asia. One was linked to a group of hackers known in the security industry as Bitter APT, and the other, APT36, to the state-linked actors in Pakistan,” Meta noted in its report.
These groups usually target individuals online in order to gather intelligence, trick them into disclosing information and breach their devices and accounts.
Meta said that it has dismantled a brigading network in India, a mass reporting network in Indonesia and coordinated violating networks in Greece and South Africa as well as India as part of their efforts to counter new and emerging threats.
According to the report, Meta has removed tens of thousands of accounts, pages, and groups worldwide in accordance with their Inauthentic Behavior policy, which prohibits artificially boosting distribution.
BITTER APT
In terms of Bitter APT, which has been active since 2013, Meta’s report stated that it operated out of South Asia, and targeted people in New Zealand, Pakistan, the United Kingdom, as well as India.
It was noticed that while the sophistication and operational security of this group’s actions were relatively modest, it was persistent and well-resourced.
Bitter APT, as per the report, has targeted people with several social engineering on social media platforms such as Facebook with the end goal of deploying malware on their devices.
To disseminate their infection, they combined link-shortening services, fraudulent domains, compromised websites, and outside hosting companies.
The anonymous chat app delivered by the attackers may not have carried malicious code, according to Meta researchers, but they do believe it may have been used for more social engineering on a chat medium under the attackers’ control.
As per the report, using genuine Apple services could help attackers avoid detection and make them seem more legitimate.
“This meant that hackers didn’t need to rely on exploits to deliver custom malware to targets and could utilise official Apple services to distribute the app in an effort to make it appear more legitimate, as long as they convinced people to download Apple TestFlight and tricked them into installing their chat application,” it added.
While earlier Bitter APT group targeted the energy, engineering and government sectors with Remote access trojans (a kind of malware) that were spread via spear-phishing emails or by the exploitation of known flaws, in the recent campaign, the group created social media profiles and used them to trick their targets into clicking on malicious links or downloading malware by posing as journalists or activists.
The analysis stated that rather than randomly targeting people with phishing, this gang often spent time and effort establishing links with its targets via different channels, including email.
Meta also discovered Bitter APT using a range of additional strategies, utilising a combination of link-shortening services, hijacked websites, and third-party hosting providers to target victims with malware.
Researchers found that the APT deployed a brand-new family of Android malware they termed Dracarys in one instance.
It said: “Bitter APT injected Dracarys into trojanized (non-official) versions of YouTube, Signal, Telegram, WhatsApp and custom chat applications capable of accessing call logs, contacts, files, text messages, geolocation, device information, taking photos, enabling microphone, and installing apps.”
“While the malware functionality is fairly standard, as of this writing, malware and its supporting infrastructure has not been detected by existing public anti-virus systems,” the report further added.
APT36
According to Meta, APT36, a group with ties to Pakistan, also launched a campaign against military officers, government employees, and staff members of human rights organisations in Afghanistan, Pakistan, the United Arab Emirates, and Saudi Arabia, as well as India.
The report stated that even though this group’s activity was not very sophisticated, it was persistent and targeted a variety of online services, including email providers, file-hosting sites, and social media.
The researchers noted that to target the victims, the group pretended to be recruiters for both real and phoney businesses as well as military personnel and distributed harmful links to attacker-controlled websites where they stored malware.
“APT36 didn’t directly share malware on our platforms but rather used the above tactics to share malicious links to sites they controlled and where they hosted malware,” Meta’s report highlighted while adding that XploitSPY, a common Android malware, was utilised in a number of instances.
As per the report, APT36’s campaign illustrates a wider pattern of espionage organisations adopting pre-made, low-cost malicious tools rather than investing in the creation of their own tools.
Additionally, Meta said: “This threat actor is a good example of a global trend we’ve seen where low-sophistication groups choose to rely on openly available malicious tools, rather than invest in developing or buying sophisticated offensive capabilities.”
CONCERNS OVER CYBERTHREAT
This recent finding by Meta is extremely concerning as the current world is hugely dependent on digital communication and India, specifically, is moving towards the nationwide enhancement of online connectivity under the banner of “Digital India”.
News18 has reached out to some industry experts who pointed out the concerning facts about such threats while suggesting some possible steps that could be taken to ensure the safety of Indian citizens.
Srividya Kannan, Founder and Director, Avaali Solutions stated that “our vulnerability to cyber-attacks is increasingly concerning”, but more concerning is the fact that the expanding number of operations based on publicly available malicious tools necessitates even less technical expertise to deploy and democratise access to hacking and spying capabilities.
“This could pose a danger across the board, from government entities to citizens. For instance, malware masquerading as popular messaging apps widely used by citizens throw a massive risk in terms of siphoning information for such a large population,” she added.
According to Satyamohan Yanambaka, the CEO at Writer Information Management Services, who called the report “scary”, with the increased use of mobile smartphones, particularly lower-cost Apple models, and India as a target market for Apple and APT groups, the problem becomes much more serious.
Yanambaka said: “A growing number of operations using basic low-cost tools that require less technical expertise to deploy, yet yield results for the attackers nonetheless. It democratizes access to hacking and surveillance capabilities as the barrier to entry becomes lower.”
“It also allows these groups to hide in the “noise” and gain plausible deniability when being scrutinized by security researchers,” he added.
THE NEXT STEP
Industry experts believe that to prevent such threats, the first necessary step should be maximum social awareness.
Yanambaka suggested that spending on cyber awareness should be included as part of CSR efforts, and spending on consumer awareness should be made mandatory for IT industry participants such as mutual funds.
He said: “We should have technical solutions to prevent the channel of attack by these hackers.”
“Hackers access to devices through malicious document files and intermediate malware stages and the threat actors conduct espionage by deploying RATs. These can be prevented technically by ensuring, strong multi-factor authentication, use of Anti-malware endpoint protection tools and securing Reg Files and ensuring no file/Data Base can meddle with inappropriate authentications”, he added.
Meanwhile, Kannan highlighted the fact that most Indian citizens “may not even be sensitive to something like these cyber threats” which means that “they could be inadvertently severely exposed and may not even be alert to such risks”.
She believes that with the Digital India initiative and the projected Central Bank Digital Currency, the impact of these dangers on corporations as well as individuals will only grow if not handled.
So, Kannan said: “There is a dire need for focused and comprehensively thought-through Cyber Security legislation.”
Another industry expert, Sagar Chandola said that “there is no such Public view Dashboard for cyber incidents in India and in the near future we might also need to have an Aadhar like Cyber ID”.
Regarding the national-level architecture, Yanambaka said that while CERT-In is a Government of India body that monitors and delivers cyberattack intelligence, a majority of it is more of a pull paradigm in which corporations should seek information.
“This establishment is placed well to become a national-level cyber warfare prevention body by actively propagating information, circulating alerts, pro-actively monitoring malware attacks, providing cyber ware pro-actively, encouraging membership, cross-information flow and be the watchdog/National Cyber agency,” he added.
However, Harsh Bharwani, CEO & Managing Director of Jetking, explained that India is particularly vulnerable to cyber incursions due to some strategic deficiencies, inadequate risk assessment, and late policy execution.
But he also pointed out that India is establishing its own cyber security architecture, which will include the National Cyber Coordination Centre (NCCC) for threat assessment and information sharing among stakeholders, Cyber Operation Centre and the National Critical Information Infrastructure Protection Centre (NCIIPC).
He also said: “The government is developing a legal framework to address cyber security, has launched a campaign to raise awareness of the problem and is developing the necessary human resources with the appropriate skills.”
Read the Latest News and Breaking News here
Meta has released its ‘Quarterly Adversarial Threat Report’ in which the company highlighted two cyber espionage operations, conducted by threat actors Bitter APT and APT36, targeting people from India as well as other countries.
As per Meta, the report provides a comprehensive perspective of the threats that the company has detected across many policy infractions, such as Coordinated Inauthentic Behavior (CIB), cyber espionage and inauthentic behaviour.
“We took action against two cyber espionage operations in South Asia. One was linked to a group of hackers known in the security industry as Bitter APT, and the other, APT36, to the state-linked actors in Pakistan,” Meta noted in its report.
These groups usually target individuals online in order to gather intelligence, trick them into disclosing information and breach their devices and accounts.
Meta said that it has dismantled a brigading network in India, a mass reporting network in Indonesia and coordinated violating networks in Greece and South Africa as well as India as part of their efforts to counter new and emerging threats.
According to the report, Meta has removed tens of thousands of accounts, pages, and groups worldwide in accordance with their Inauthentic Behavior policy, which prohibits artificially boosting distribution.
BITTER APT
In terms of Bitter APT, which has been active since 2013, Meta’s report stated that it operated out of South Asia, and targeted people in New Zealand, Pakistan, the United Kingdom, as well as India.
It was noticed that while the sophistication and operational security of this group’s actions were relatively modest, it was persistent and well-resourced.
Bitter APT, as per the report, has targeted people with several social engineering on social media platforms such as Facebook with the end goal of deploying malware on their devices.
To disseminate their infection, they combined link-shortening services, fraudulent domains, compromised websites, and outside hosting companies.
The anonymous chat app delivered by the attackers may not have carried malicious code, according to Meta researchers, but they do believe it may have been used for more social engineering on a chat medium under the attackers’ control.
As per the report, using genuine Apple services could help attackers avoid detection and make them seem more legitimate.
“This meant that hackers didn’t need to rely on exploits to deliver custom malware to targets and could utilise official Apple services to distribute the app in an effort to make it appear more legitimate, as long as they convinced people to download Apple TestFlight and tricked them into installing their chat application,” it added.
While earlier Bitter APT group targeted the energy, engineering and government sectors with Remote access trojans (a kind of malware) that were spread via spear-phishing emails or by the exploitation of known flaws, in the recent campaign, the group created social media profiles and used them to trick their targets into clicking on malicious links or downloading malware by posing as journalists or activists.
The analysis stated that rather than randomly targeting people with phishing, this gang often spent time and effort establishing links with its targets via different channels, including email.
Meta also discovered Bitter APT using a range of additional strategies, utilising a combination of link-shortening services, hijacked websites, and third-party hosting providers to target victims with malware.
Researchers found that the APT deployed a brand-new family of Android malware they termed Dracarys in one instance.
It said: “Bitter APT injected Dracarys into trojanized (non-official) versions of YouTube, Signal, Telegram, WhatsApp and custom chat applications capable of accessing call logs, contacts, files, text messages, geolocation, device information, taking photos, enabling microphone, and installing apps.”
“While the malware functionality is fairly standard, as of this writing, malware and its supporting infrastructure has not been detected by existing public anti-virus systems,” the report further added.
APT36
According to Meta, APT36, a group with ties to Pakistan, also launched a campaign against military officers, government employees, and staff members of human rights organisations in Afghanistan, Pakistan, the United Arab Emirates, and Saudi Arabia, as well as India.
The report stated that even though this group’s activity was not very sophisticated, it was persistent and targeted a variety of online services, including email providers, file-hosting sites, and social media.
The researchers noted that to target the victims, the group pretended to be recruiters for both real and phoney businesses as well as military personnel and distributed harmful links to attacker-controlled websites where they stored malware.
“APT36 didn’t directly share malware on our platforms but rather used the above tactics to share malicious links to sites they controlled and where they hosted malware,” Meta’s report highlighted while adding that XploitSPY, a common Android malware, was utilised in a number of instances.
As per the report, APT36’s campaign illustrates a wider pattern of espionage organisations adopting pre-made, low-cost malicious tools rather than investing in the creation of their own tools.
Additionally, Meta said: “This threat actor is a good example of a global trend we’ve seen where low-sophistication groups choose to rely on openly available malicious tools, rather than invest in developing or buying sophisticated offensive capabilities.”
CONCERNS OVER CYBERTHREAT
This recent finding by Meta is extremely concerning as the current world is hugely dependent on digital communication and India, specifically, is moving towards the nationwide enhancement of online connectivity under the banner of “Digital India”.
News18 has reached out to some industry experts who pointed out the concerning facts about such threats while suggesting some possible steps that could be taken to ensure the safety of Indian citizens.
Srividya Kannan, Founder and Director, Avaali Solutions stated that “our vulnerability to cyber-attacks is increasingly concerning”, but more concerning is the fact that the expanding number of operations based on publicly available malicious tools necessitates even less technical expertise to deploy and democratise access to hacking and spying capabilities.
“This could pose a danger across the board, from government entities to citizens. For instance, malware masquerading as popular messaging apps widely used by citizens throw a massive risk in terms of siphoning information for such a large population,” she added.
According to Satyamohan Yanambaka, the CEO at Writer Information Management Services, who called the report “scary”, with the increased use of mobile smartphones, particularly lower-cost Apple models, and India as a target market for Apple and APT groups, the problem becomes much more serious.
Yanambaka said: “A growing number of operations using basic low-cost tools that require less technical expertise to deploy, yet yield results for the attackers nonetheless. It democratizes access to hacking and surveillance capabilities as the barrier to entry becomes lower.”
“It also allows these groups to hide in the “noise” and gain plausible deniability when being scrutinized by security researchers,” he added.
THE NEXT STEP
Industry experts believe that to prevent such threats, the first necessary step should be maximum social awareness.
Yanambaka suggested that spending on cyber awareness should be included as part of CSR efforts, and spending on consumer awareness should be made mandatory for IT industry participants such as mutual funds.
He said: “We should have technical solutions to prevent the channel of attack by these hackers.”
“Hackers access to devices through malicious document files and intermediate malware stages and the threat actors conduct espionage by deploying RATs. These can be prevented technically by ensuring, strong multi-factor authentication, use of Anti-malware endpoint protection tools and securing Reg Files and ensuring no file/Data Base can meddle with inappropriate authentications”, he added.
Meanwhile, Kannan highlighted the fact that most Indian citizens “may not even be sensitive to something like these cyber threats” which means that “they could be inadvertently severely exposed and may not even be alert to such risks”.
She believes that with the Digital India initiative and the projected Central Bank Digital Currency, the impact of these dangers on corporations as well as individuals will only grow if not handled.
So, Kannan said: “There is a dire need for focused and comprehensively thought-through Cyber Security legislation.”
Another industry expert, Sagar Chandola said that “there is no such Public view Dashboard for cyber incidents in India and in the near future we might also need to have an Aadhar like Cyber ID”.
Regarding the national-level architecture, Yanambaka said that while CERT-In is a Government of India body that monitors and delivers cyberattack intelligence, a majority of it is more of a pull paradigm in which corporations should seek information.
“This establishment is placed well to become a national-level cyber warfare prevention body by actively propagating information, circulating alerts, pro-actively monitoring malware attacks, providing cyber ware pro-actively, encouraging membership, cross-information flow and be the watchdog/National Cyber agency,” he added.
However, Harsh Bharwani, CEO & Managing Director of Jetking, explained that India is particularly vulnerable to cyber incursions due to some strategic deficiencies, inadequate risk assessment, and late policy execution.
But he also pointed out that India is establishing its own cyber security architecture, which will include the National Cyber Coordination Centre (NCCC) for threat assessment and information sharing among stakeholders, Cyber Operation Centre and the National Critical Information Infrastructure Protection Centre (NCIIPC).
He also said: “The government is developing a legal framework to address cyber security, has launched a campaign to raise awareness of the problem and is developing the necessary human resources with the appropriate skills.”
Read the Latest News and Breaking News here
