Technology

Facebook takes down 4 hacker groups targeting Afghanistan, Syria

By Pakistan Forward and AFP

A member of the Syrian civil defence (White Helmets) types on his computer in the northern Syrian city of Idlib on August 20, 2018. The White Helmets were among the targets of hacker groups taken down in recent months by Facebook. [Omar Haj Kadour/AFP]

A member of the Syrian civil defence (White Helmets) types on his computer in the northern Syrian city of Idlib on August 20, 2018. The White Helmets were among the targets of hacker groups taken down in recent months by Facebook. [Omar Haj Kadour/AFP]

Facebook has taken down four hacker groups from Pakistan and Syria in recent months, Meta, Facebook's parent company, revealed Tuesday (November 16).

In August, the social media network blocked a hacker group from Pakistan that targeted the accounts of people tied to Afghanistan's previous government, along with military and law enforcement personnel.

Known in the security industry as SideCopy, the hacker group is one of four "malicious" groups Facebook said it disrupted earlier this year.

Three other hacking groups "had links to the Syrian government", according to Meta, and targeted activists, journalists, humanitarian organisations and opposition groups, among others.

Facebook's logo is seen on a laptop screen in Moscow on October 12. The social media company announced November 16 it had blocked four distinct hacking groups in recent months -- one from Pakistan targeting members of the former Afghan government and security forces, and three operating in Syria with links to the regime. [Kirill Kudryavtsev/AFP]

Facebook's logo is seen on a laptop screen in Moscow on October 12. The social media company announced November 16 it had blocked four distinct hacking groups in recent months -- one from Pakistan targeting members of the former Afghan government and security forces, and three operating in Syria with links to the regime. [Kirill Kudryavtsev/AFP]

The Syrian Electronic Army (SEA), or APT-C-27, "targeted human rights activists, journalists and other groups opposing the ruling regime", it said.

A group known as APT-C-37 "targeted people linked to the Free Syrian Army and former military personnel who had since joined the opposition forces".

Both had ties to Syria's Air Force Intelligence Directorate, Meta said.

An unnamed network that was found to have links to the Syrian government meanwhile targeted minority groups in Syria, opposition activists, Kurdish journalists and members of the People's Protection Units (YPG), it said.

That group also targeted members of Syria's civil defence (White Helmets).

'Romantic lures' in Afghanistan

The cyber-espionage campaign targeting Afghanistan ramped up between April and August, when Facebook said it worked to remove SideCopy from its network.

As it did with the Syria hacker groups, Meta said, it "moved quickly to complete the investigation and take action to protect people on our platform, share our findings with industry peers, law enforcement and researchers".

The company also notified the people it believed had been targeted, and implemented a number of security measures.

SideCopy used "romantic lures" from what appeared to be young women on the platform to try to trick the targets into giving the hackers access to their pages.

The hackers' main technique, known as phishing, was to share links to malicious sites hosting harmful software or to encourage the targets to download compromised chat apps.

"Among them were apps named HappyChat, HangOn, ChatOut, TrendBanter, SmartSnap, and TeleChat -- some of which were in fact functioning chat applications," Meta said.

The hackers also set up fake mobile app stores and compromised legitimate sites in an effort to get their prey's Facebook credentials.

"This malicious activity had the hallmarks of a well-resourced and persistent operation while obfuscating who's behind it," Meta said.

The company did not provide figures on the number of accounts potentially affected or comment on the nature of the information hacked.

Tricky tactics in Syria

In October, Facebook took down the SEA/APT-C-27 and APT-C-37 hacker groups, both of which targeted people in Syria.

To gain access to targeted Facebook accounts, the hackers relied on social engineering and phishing tactics to trick people into clicking on links or downloading malicious software from attacker-controlled websites, Meta said.

"Some of these sites focused on content about Islam, others masqueraded as legitimate app stores or used look-alike domains posing as popular services, including Telegram, Facebook, YouTube and WhatsApp," Meta said.

The hackers also used trojanized applications, including those with "United Nations" in the name, VPN Secure, Telegram and a Syrian news app, it said.

The malware the hackers used made it possible for them "to retrieve sensitive user data, including call logs, contact information, device information, user accounts, take photos, and retrieve attacker specified files", Meta said.

It said the unnamed network targeting Syria likely has not been previously tracked by the security community due to its reliance on commercially available malware.

"This group shared links to attacker-controlled websites hosting Android malware masquerading as apps and updates themed around the United Nations, White Helmets, YPG, Syrian satellite TV, COVID-19, WhatsApp and YouTube," it said.

The group targeted minority groups, activists and opposition groups in southern Syria, including in Sweida, Huran, Qunaitra and Daraa.

In northern Syria, it targeted Kurdish journalists and activists, members of the White Helmets and the YPG in areas such as Qamishli, Kobani, Manbij, and al-Hasakeh.

Chinese hackers strike Afghanistan

In a separate incident discovered earlier this year, Chinese hackers sought to breach the computer networks of Afghanistan's National Security Council, the cybersecurity firm Check Point reported July 1.

The attack -- carried out by the Chinese-speaking hacking group known to cybersecurity experts as IndigoZebra -- was part of a cyber-espionage operation targeting Central Asian countries that dates back to 2014.

It previously targeted political entities in Uzbekistan and Kyrgyzstan, and other countries might also have been targeted, according to Check Point.

The operation in Afghanistan started in April, when hackers impersonated a senior official in the president's office.

After gaining access to the official's email account, the hackers sent a "dupe email" to national security officials, urging them to take action on an upcoming press conference hosted by the National Security Council.

"Yesterday, I called your office and no one answered it," they wrote, posing as the official. "We have received your file and modified it. There is an error in the third line of the second page. Please confirm whether the error exists."

The hackers used Dropbox, the popular cloud storage service, to deploy malware, Check Point said.

It is not clear if any members of the security council were duped.

Do you like this article?

0 Comment(s)

Comment Policy * Denotes required field 1500 / 1500