Unearthing Meta’s Quarterly Adversarial Threat Report (Q2 2022)

Summary 

• The report offers a comprehensive view of Meta’s risks across multiple policy violations like Coordinated Inauthentic Behavior (CIB), inauthentic behavior, cyber espionage, and other emerging threats, like mass reporting.

• The report discusses various actions Meta’s security team took against two ongoing cyber espionage operations in South Asia.

• As part of its campaign against new and emerging threats, the report discusses how Meta removed a mass reporting network in Indonesia, a brigading network in India, and coordinated violating networks (CVNs) in Greece, India, and South Africa.

• Under its Inauthentic Behavior policy targeting artificially inflating distribution, the report says Meta took down numerous accounts, Pages, and Groups worldwide.

• The report also discusses how Meta removed three networks engaged in CIB operations in Israel, Malaysia, and Russia.

Introduction

All of us are active Social Media users, which is exerting a greater influence on our lives in today’s technological age. But as the number of active users increases, so does the sophistication of threat actors, who continue to devise newer ways to compromise accounts, steal credentials, dictate their agenda, etc. For example, there are groups of people trying to flood comment streams and attack the post owner and other users to push forward their agenda and intimidate users with dissenting views. The evolving threat landscape compels social media giants like Meta to define robust security policies and take proactive steps to protect their communities. The Quarterly Adversarial Threat Report Q2 dives deeper into Meta’s actions against malicious activities.

Cyber Espionage Networks

Cyber espionage actors target internet users to collect intelligence, manipulate them to reveal sensitive information and compromise their accounts and devices. Some of them deploy advanced malware that incorporates exploits, while others use basic low-cost tools that require lesser technical expertise to deploy. Thus Meta believes, as per the report, it democratizes access to surveillance and hacking capabilities since the barrier to threat actors’ entry becomes lower. Furthermore, it allows the threat groups to gain plausible deniability and hide in the “noise” when security researchers scrutinize them.

Steps Meta Took:

Meta took down accounts, notified users targeted by malicious groups, and blocked the groups’ domain infrastructure from getting shared on Meta’s services. Furthermore, they shared findings with security researchers and industry peers to help them stay vigilant about the activity. 

Bitter APT (Advanced Persistent Threat) Group

Meta took action against a hacker group called Bitter APT, which operated from South Asia and targeted users in New Zealand, the United Kingdom, India, and Pakistan. While the group’s activity was low in operational security and sophistication, it was well-resourced and persistent. Bitter deployed various malicious tactics to target users with social engineering and injected malware into their devices. They used a mix of malicious domains, link-shortening services, third-party hosting providers, and compromised websites to distribute their malware. Security researchers at Meta discovered that their platform was used as an element of a wider cross-platform cyber espionage campaign. They found the following noteworthy TTPs (tactics, techniques, and procedures) used by the threat actors:

1. Social engineering: Bitter threat actors created fictitious personas and posed as young women, activists, or journalists across the internet. They tried to build trust with users to trick them into visiting malicious links or downloading malware.

1. iOS application: Meta’s recent investigation discovered Bitter deploying an iOS chat application for users, who could download it through Apple’s Testflight service for developers, ensuring that it will help beta-test their new applications.

1. Android malware: The researchers discovered Bitter using a custom Android malware family they named Dracarys. It used accessibility services, the Android operating system feature, to assist users with disabilities, allowing them to automatically click and grant the application certain permissions.

1. Adversarial adaptation: This Bitter group aggressively responded to Meta’s detection and blocking of its domain infrastructure and activity.

APT36

Meta discovered another threat group whose activity was low in sophistication, but it persistently targeted many services over the internet – from social media and email providers to file-hosting services. APT36 deployed various malicious tactics to target users with social engineering and injected malware into their devices. They used malicious and camouflaged links and fake Android and Windows-run apps to distribute their malware. Meta’s security team took action against the APT36 threat actors active in Afghanistan, Pakistan, UAE, India, and Saudi Arabia. They targeted government officials, military personnel, students, and employees of non-profit and human rights organizations. Furthermore, the report suggests that Meta’s investigation linked the activity to state-linked actors in Pakistan. They discovered the following noteworthy TTPs used by the threat actors:

1. Social engineering: APT36 threat actors created fictitious personas and posed as recruiters for fake and legitimate organizations, military personnel, or women looking for romantic connections. 

2. Real and spoofed websites: The report suggests that the APT36 threat actors used various tactics, including using custom infrastructure to inject their malware. Some domains masqueraded as generic app stores or photo-sharing websites, while others were spoofed domains of applications like Microsoft’s OneDrive, Google Play Store, and Google Drive.

3. Camouflaged links: The group utilized link-shortening services and disguised malicious URLs. Furthermore, they used preview sites and social cards (the online marketing tools to customize the displayed image when a particular URL gets shared on social media) to mask the ownership and redirection of domains APT36 controlled.

4. Android malware: APT36 did not directly share malware on Meta platforms but used the above tactics to share links to spoofed websites.

The “Emerging Harms” Networks

The report states that Meta’s threat disruption began by tackling inauthentic operations where users hide who’s behind them and advanced to authentic actors engaging in harmful and adversarial behaviors on its platform. This section of Meta’s report discusses how it is taking proactive steps to stay ahead in this adversarial space. 

Steps Meta Took:

Meta deployed control levers to enforce against networks having broadly varying aims and behaviors like:

1. Groups that coordinated women’s harassment

2. Decentralized movements that collaborate a call for violence against government officials and medical professionals

3. An anti-immigrant group inciting harassment and hate

4. An activity cluster focused primarily on spreading misinformation

Mass Reporting

Under its Inauthentic Behavior policies, Meta removes activity when it finds adversarial networks coordinating an abuse against its reporting systems to get content or accounts incorrectly taken down from the platform. Threat actors do it intentionally to silence others. In Q2 of 2022, the report states that Meta removed a network of 2,800 accounts, Pages, and Groups in Indonesia. They coordinated to report users for violations like impersonation, terrorism, hate speech, and bullying to get them wrongfully removed from Facebook. Meta researchers found that the reports mainly focused on Indonesian users, particularly the Wahhabi Muslim community. Factors considered while investigating Mass Reporting:

1. Coordination Signals

2. High Report volume

3. Misleading and abusive nature of reports.

Brigading

Under its Bullying and Harassment policies, Meta removes activity when it discovers adversarial networks engaging in repetitive behavior, for mass-commenting on their target’s posts or sending them direct messages. The report suggests that the behavior intends to harass, overwhelm or silence the target. 

In Q2 of 2022, Meta took down a brigading network of 300 Facebook and Instagram accounts in India that collaborated to mass-harass people, including actors, activists, comedians, and other influencers. The network actively posted across the internet, including Instagram, Facebook, Twitter, YouTube, and Telegram. Factors considered while investigating Brigading:

1. Repetitive targeting to silence or harass people, with unsolicited comments or messages

2. Coordination Signals

3. A high volume of activity

4. Efforts to evade enforcement

Coordinated Violating Networks

Meta’s Account Integrity policies remove coordinated violating networks (CVNs) when it finds people (with authentic or fake accounts) coordinating to violate or evade its Community Standards. Hence, Meta removed two clusters of Pages and accounts on Facebook and Instagram in Greece that collaborated to repeatedly violate its policies against hate speech, misinformation, and incitement to overthrow the government violently. Factors considered while investigating Coordinated Violating Networks.

1. Coordination signals showed an organized group directly working under centralized directions.

2. Systematic violation of Meta’s community standards.

3. Efforts to evade enforcement

Inauthentic Behavior

Meta defines Inauthentic behavior (IB) in its Community Standards as something that misleads the platform and the users about the popularity of the content, the people’s identity behind it, or the purpose of a community (i.e., Events, Groups, Pages). The report suggests that the behavior is centered around increasing and amplifying content distribution and is mostly (not exclusively) financially motivated. IB operators mainly focus on the quantity and not the quality of engagement. For example, they use many low-sophistication fake accounts for mass-posting or liking their content — commercial, social or political. 

Steps Meta Took:

In focus: Philippines

1. Manual investigations and disruptions:

Ahead of the Philippines election, Meta’s investigative teams took down over 10,000 accounts for violating its IB policy. The accounts used IB tactics to increase the distribution of content like election-related posts, including others using politics as a spam lure when people showed interest in following these topics. The report states that Meta used threat intelligence and continued working on identifying repetitive behavior patterns showing characteristics of IB clusters in the region.

2. Automated detection at scale:

Working on the actionable insights, Meta automated the detection of IB patterns and complemented the manual investigations. Consequently, the security teams consulted experts to identify numerous IB clusters in the Philippines and enforced quick action against 15,000 accounts. Meta researchers concluded that most IB clusters were not more than six months old when they got disabled. 

3. Automated enforcement:

Complimenting automated detection and manual disruptions, Meta focused on automating enforcement against these IB patterns, relying on its rigorous election preparation in the Philippines. Hence, the security teams could tackle specific repetitive and high-confidence inauthentic behavior (IB) in the Philippines and worldwide.

Coordinated Inauthentic Behavior (CIB)

Meta views CIB as a coordinated effort to manipulate the public discourse for a strategic goal, having fake accounts at the center of the operation. The report says that in these cases, people coordinate and use fake accounts to mislead others about what they do and who they are. 

Steps Meta Took:

Meta’s security team investigated and removed the CIB operations by focusing on behavior rather than content. According to the report,  it did not matter who was behind them, what they posted, or whether they were foreign or domestic. 

Malaysia

Meta removed 596 Facebook accounts, 72 Instagram accounts, 180 Pages, and 11 Groups for violating their policy on coordinated inauthentic behavior. The network originated in Malaysia, targeting its domestic audiences.

Israel

Meta removed 259 Facebook accounts, 107 Instagram accounts, 42 Pages, and 9 Groups for violating its policy on coordinated inauthentic behavior. The network originated in Israel, targeting Nigeria, Angola, and the Gaza region in Palestine.

Russia

The report has a detailed sub-section on how the security researchers investigated the CIB in Russia. Meta took down an Instagram account network operated by a troll farm in Russia’s St. Petersburg that targeted global public discourse regarding the Ukraine war. The report underlines that the campaign was a poorly executed attempt and that threat actors publicly coordinated through a Telegram channel. They wanted to create a grassroots online support perception for Russia’s invasion and used fake accounts to upload pro-Russia comments on influencers and media content. The researchers linked the activity to a self-proclaimed entity, “Cyber Front Z,” and individuals associated with the Internet Research Agency (IRA). Meta has banned Cyber Front Z from its platforms. 

Conclusion

The Meta Quarterly Adversarial Threat Report Q2 offers insight into the risks Meta sees globally and across multiple policy violations. It covers Meta’s expanded threat reporting areas like cyber espionage, inauthentic amplification, mass reporting, brigading, and other malicious behaviors. Furthermore, It alerts people who Meta believes were targeted by these campaigns. Thus, it is a reliable guide for tech companies, governments, law enforcement, and security researchers in helping them understand the social media threat landscape and preventive measures that can be taken to limit the damage caused by malicious actors.

Reference

Ben Nimmo, David Agranovich, Margarita Franklin, Mike Dvilyanski, Nathaniel Gleicher. (2022, September 8). Quarterly Adversarial Threat Report. About.fb.com. Retrieved September 8, 2022, from  

https://about.fb.com/wp-content/uploads/2022/08/Quarterly-Adversarial-Threat-Report-Q2-2022.pdf

Photo by Dima Solomin on Unsplash

#meta #facebook #adversary #CIB #threats #security #espionage