Home ›› 11 Dec 2020 ›› Front
Facebook has taken action against two separate groups of hackers -- an unnamed group based in Bangladesh and APT32 in Vietnam, the social media giant said in an announcement on the company's website.
The authorities removed the hackers’ ability to use their infrastructure to abuse the platform, distribute malware and hack people’s accounts across the internet, according to the announcement.
Facebook Head of Security Policy Nathaniel Gleicher and Cyber Threat Intelligence Manager Mike Dvilyanski notified about the decision on Thursday.
In the announcement, the wrote: "Today, we’re sharing actions we took against two separate groups of hackers — APT32 in Vietnam and a group based in Bangladesh — removing their ability to use their infrastructure to abuse our platform, distribute malware and hack people’s accounts across the internet.
Facebook’s threat intelligence analysts and security experts work to find and stop a wide range of threats including malware campaigns, influence operations and hacking of our platform or individual Facebook accounts by nation-state adversaries, hackers and others. As part of these efforts, our teams routinely disrupt adversary operations by disabling them, notifying users if they should take steps to protect their accounts, sharing our findings publicly and continuing to improve the security of our products.
Today we’re sharing our latest research and enforcement actions against attempts to compromise people’s accounts and gain access to their information, commonly referred to as cyber espionage. These two unconnected groups targeted people on our platform and elsewhere on the internet using very different tactics. The operation from Vietnam focused primarily on spreading malware to its targets, whereas the operation from Bangladesh focused on compromising accounts across platforms and coordinating reporting to get targeted accounts and Pages removed from Facebook.
The people behind these operations are persistent adversaries, and we expect them to evolve their tactics. However, our detection systems and threat investigators, as well as other teams in the security community, keep improving to make it harder for them to remain undetected. We will continue to share our findings whenever possible so people are aware of the threats we are seeing and can take steps to strengthen the security of their accounts."
The detailed announcement provided information Facebook's team found about these hackers.
Bangladesh
The Bangladesh-based group targeted local activists, journalists and religious minorities, including those living abroad, to compromise their accounts and have some of them disabled by Facebook for violating our Community Standards. Our investigation linked this activity to two non-profit organizations in Bangladesh: Don’s Team (also known as Defense of Nation) and the Crime Research and Analysis Foundation (CRAF). They appeared to be operating across a number of internet services.
Don’s Team and CRAF collaborated to report people on Facebook for fictitious violations of our Community Standards, including alleged impersonation, intellectual property infringements, nudity and terrorism. They also hacked people’s accounts and Pages, and used some of these compromised accounts for their own operational purposes, including to amplify their content. On at least one occasion, after a Page admin’s account was compromised, they removed the remaining admins to take over and disable the Page. Our investigation suggests that these targeted hacking attempts were likely carried out through a number of off-platform tactics including email and device compromise and abuse of our account recovery process.
To disrupt this activity, we removed the accounts and Pages behind this operation. We shared information about this group with our industry partners so they too can detect and stop this activity. We encourage people to remain vigilant and take steps to protect their accounts, avoid clicking on suspicious links and downloading software from untrusted sources that can compromise their devices and information stored on them.
Vietnam
APT32, an advanced persistent threat actor based in Vietnam, targeted Vietnamese human rights activists locally and abroad, various foreign governments including those in Laos and Cambodia, non-governmental organizations, news agencies and a number of businesses across information technology, hospitality, agriculture and commodities, hospitals, retail, the auto industry, and mobile services with malware. Our investigation linked this activity to CyberOne Group, an IT company in Vietnam (also known as CyberOne Security, CyberOne Technologies, Hành Tinh Company Limited, Planet and Diacauso).
As our industry partners have previously reported, APT32 has deployed a wide range of adversarial tactics across the internet. We have been tracking and taking action against this group for several years. Our most recent investigation analyzed a number of notable tactics, techniques and procedures (TTPs) including:
"The latest activity we investigated and disrupted has the hallmarks of a well-resourced and persistent operation focusing on many targets at once while obfuscating their origin. We shared our findings including YARA rules and malware signatures with our industry peers so they too can detect and stop this activity. To disrupt this operation, we blocked associated domains from being posted on our platform, removed the group’s accounts and notified people who we believe were targeted by APT32," it added.