As platforms get more sophisticated in identifying cybercriminals and other malicious actors, perpetrators are getting more savvy at how to avoid detection.
In Meta’s quarterly report on adversarial threats, released on Thursday, the company highlighted several cyber espionage networks and troll farms it detected and took down. It also revealed new tactics these groups were using to spread malware, misinformation, and sow discord.
The findings include:
Cyber espionage teams and troll farms targeted people in 15 countries in Q2 2022.
Groups with malicious intent online were found across the globe, including teams connected with state-linked actors in Pakistan, a large group based in Indonesia, and coordinated networks in Greece, India, and South Africa. It also found a PR firm based out of Israel focused on spreading misinformation, as well as troll farms in Malaysia and Russia.
Southeast Asia-based group Bitter APT was using Apple's developer software to get people to download malware.
Bitter used fake accounts from attractive young women, journalists, and activists to get people to download fraudulent apps, which would infect devices with malware.
One of the fake apps was a chat app for iOS. However, the downloadable link came from the legitimate Apple Testflight service, a program made so developers could beta test apps. It also used a new custom Android malware group called Dracarys that took advantage of a feature in the Android operating system which is meant to help users with disabilities grant permissions to apps without the person having to physically click.
Apple did not respond to a request for comment.
Israeli PR group Mind Force targeted the Gaza region of Palestine, Angola, and Nigeria with fake accounts and links to misinformation.
Meta determined Israeli PR firm Mind Force was behind websites of fake NGOs, media outlets, and other groups that provided seemingly-real links, as well as fake social accounts used to manage pages and comment about certain topics.
Posts revolved around news and current events, including positive opinions about the Angolan government, support for a particular Nigerian candidate, and criticism of Hamas. Fraudulent accounts posted about the topics, managed groups, and propagated links across Meta’s platforms. Pictures were copied from across the Web or created using artificial intelligence.
In total, the group was operating 259 Facebook accounts, 42 pages, nine Facebook Groups, and 107 Instagram accounts. About 224,000 followers followed at least one of these Facebook pages, and 208,000 accounts followed one or more of these Instagram accounts.
Mind Force is now banned from the platforms.
Russian group Cyber Front Z was hiring people off the street to work in a troll farm office to post pro-Russia propaganda
Cyber Front Z was a St. Petersburg, Russia-based troll farm hiring and recruiting people off the street and through online job listings to work in its office dedicated to spreading Russian propaganda. Though the team was relatively small and unsuccessful, it showed insight into how troll farms work.
Cyber Front Z ran 45 Facebook accounts and 1,037 Instagram accounts and had presences on other platforms like Telegram, Twitter, LinkedIn, TikTok, YouTube, and more. Each platform had around two dozen staffers working seven days a week using fake accounts to comment with pro-Russian sentiment about the Ukrainian conflict. Politicians, journalists, actors, celebrities, and commercial brands that had made statements supporting Ukraine were targeted. News about the group was first published by the Russian media outlet Fontanka.
In the case of Instagram, half of the Cyber Front Z accounts were detected as fraudulent and shut down shortly after creation. Meta also conducted a manual investigation on the group’s posts, and found some Cyber Front Z employees were posting pro-Ukrainian comments, suggesting there was a counter-movement within the "Z team."
Though none of the specific comments violated content policies — and in fact, employees were instructed to not be offensive to avoid detection — the group was removed for its coordinated actions.