Action has been taken against two cyber espionage operations in South Africa, according to Meta. Action has been taken against Bitter APT and APT36.
The announcement was made by the company last Thursday in its Quarterly Adversarial Threat Report, Second Quarter 2022.
In the report, Meta’s Global Threat Intelligence Lead, Ben Ninmo, and Director of Threat Disruption, David Agranovich, provided insight into the risks Meta saw worldwide and across multiple policy violations.
The report stated: “We took action against a group of hackers — known in the security industry as Bitter APT — that operated out of South Asia, and targeted people in New Zealand, India, Pakistan and the United Kingdom.”
Regarding the operation, Meta said that while the group was relatively low in sophistication and operational security it was well resourced and persistent.
“Bitter used various malicious tactics to target people online with social engineering and infect their devices with malware.”
The group would have used malicious domains, compromised websites, link-shortening services, and third-party hosting providers to distribute their malware.
In terms of tactics, techniques, and procedures (TTPs), Bitter would have likely used a mix of an iOS application, social engineering, an Android malware Meta called Dracarys, and adversarial adaption.
The company said that its investigation connected activity related to APT36 with state-linked actors in Pakistan.
“[The group] targeted people in Afghanistan, India, Pakistan, UAE and Saudi Arabia, including military personnel, government officials, employees of human rights and other non-profit organizations and students.”
Meta said that APT36’s TTP were relatively low in sophistication.
“This threat actor is a good example of a global trend we’ve seen where low-sophistication groups choose to rely on openly available malicious tools, rather than invest in developing or buying sophisticated offensive capabilities.”
“As such, APT36 is known for using a range of different malware families, and we found that in this recent operation it had also trojanized (non-official) versions of WhatsApp, WeChat and YouTube with another commodity malware family known as Mobzsar or CapraSpy.”
According to Meta, these low-cost tools require less technical knowledge to deploy, however they yield good results for attackers.
“It democratizes access to hacking and surveillance capabilities as the barrier to entry becomes lower. It also allows these groups to hide in the ‘noise’ and gain plausible deniability when being scrutinized by security researchers.”