Cyber-espionage campaigns targeting military personnel in South Asia, Meta warns
State-linked hackers in Pakistan have been spying on military personnel in India and the Pakistan Air Force using fake apps and websites to compromise their personal devices, Meta announced on Wednesday.
The espionage campaign is one of three operations in South Asia described in Meta’s quarterly adversarial threat report, alongside activities by the Bahamut and Patchwork advanced persistent threat (APT) groups, all of which appear to have an intelligence-gathering focus. The company did not give the Pakistan-based group a name.
The three operations “relied heavily on social engineering” and saw hacker groups create fake accounts with “elaborate fictitious personas with backstops across the internet so they can withstand scrutiny by their targets, platforms and researchers.”
Meta said while the Pakistan-based group used traditional lures to trick victims — for instance posing as women seeking romantic connections — some of the accounts were pretending to be recruiters, journalists or military personnel.
The company assesses that the focus on socially engineering targets into clicking on malicious links or sharing sensitive information with a fake persona is allowing the Pakistan-based hacking group to avoid investing in developing sophisticated malware.
The researchers found that “cheaper, low-sophistication malware can be highly effective in targeting people when used together with social engineering.”
Some of the custom desktop apps that the hackers had developed were not themselves malicious, but were used to subsequently send malware directly to targets.
The hacking group, which is known in the industry for its use of the GravityRAT spyware — as detailed by Cisco and Kaspersky — has been operational since 2015, said Meta.
Bahamut and Patchwork
Another hacking group known as Bahamut APT was identified targeting people in Pakistan and India, including the Kashmir region, with a particular interest in military personnel, government employees and activists.
It “maintained a range of fictitious personas in an attempt to socially engineer people throughout South Asia into providing information or compromising their mobile devices,” according to Meta, which said it took action against 110 accounts on Facebook and Instagram linked to the hacking group.
It is not known who is behind the Bahamut operation.
The Patchwork APT campaign was similarly targeting military personnel, activists and minority groups across Pakistan, India, Bangladesh, Sri Lanka, the Tibet region and China.
Patchwork is described as an Indian threat actor, although the group’s activities have not been attributed to the Indian government. The antivirus company Malwarebytes was able to shed light on the group’s activities after the hackers’ apparently infected their development machine with the group’s own remote access trojan.
Meta said it took action against around 50 accounts on its platforms that posed as journalists in the United Kingdom or United Arab Emirates working for both legitimate and fake media outlets, alongside posing as military personnel and defense intelligence consultants.
Like the other groups, Patchwork had successfully uploaded apps to the Google Play Store, although unlike the Pakistan-based group its apps contained basic malicious functionality — which relied on the app permissions granted by the end user.
The company assesses that the focus on socially engineering targets into clicking on malicious links or sharing sensitive information with a fake persona is allowing the Pakistan-based hacking group to avoid investing in developing sophisticated malware.
The researchers found that “cheaper, low-sophistication malware can be highly effective in targeting people when used together with social engineering.”
Some of the custom desktop apps that the hackers had developed were not themselves malicious, but were used to subsequently send malware directly to targets.
The hacking group, which is known in the industry for its use of the GravityRAT spyware — as detailed by Cisco and Kaspersky — has been operational since 2015, said Meta.
Alexander Martin
is the UK Editor for Recorded Future News. He was previously a technology reporter for Sky News and is also a fellow at the European Cyber Conflict Research Initiative.