Meta Platforms disclosed that it took down no less than 200 covert influence operations since 2017 spanning roughly 70 countries across 42 languages.
The social media conglomerate also took steps to disable accounts and block infrastructure operated by spyware vendors, including in China, Russia, Israel, the U.S. and India, that targeted individuals in about 200 countries.
“The global surveillance-for-hire industry continues to grow and indiscriminately target people – including journalists, activists, litigants, and political opposition – to collect intelligence, manipulate and compromise their devices and accounts across the internet,” the company noted in a report published last week.
The networks that were found to engage in coordinated inauthentic behavior (CIB) originated from 68 countries. More than 100 nations are said to have been targeted by at least one such network, either foreign or domestic.
With 34 operations, the U.S. emerged as the most frequently targeted nation during the five-year period, followed by Ukraine (20) and the U.K. (16).
The top three geographic sources of CIB networks during the same timeframe were Russia (34), Iran (29), and Mexico (13). On top of that, an Iranian network disrupted by Meta in April 2020 focused on 18 countries at a time, indicating the scope of foreign interference in these campaigns.
“Notably, both our first takedown and our 200th takedown were of CIB networks originating from Russia,” Meta’s Ben Nimmo and David Agranovich said. “The latter takedown targeted Ukraine and other countries in Europe.”
The activity, the details of which the company first disclosed in September 2022, has since been attributed as the work of two companies, Structura National Technologies and Social Design Agency (Агентство Социального Проектирования), located in the country.
That said, CIB networks run across the world have often been found targeting people in their own country, not to mention have a cross-platform presence that go beyond Facebook and Instagram to encompass Twitter, Telegram, TikTok, Blogspot, YouTube, Odnoklassniki, VKontakte, Change[.]org, Avaaz, and LiveJournal.
Meta further highlighted a “rapid rise” in the use of profile pictures created through artificial intelligence techniques like generative adversarial networks (GAN) since 2019 in a bid to pass off rogue accounts as more authentic and evade detection.
Tackling Platform Abuse by Spyware Entities
In a related report on surveillance-for-hire operations, the Menlo Park-based company said it removed a network of 130 accounts created by an Israeli company named Candiru that used these fake accounts to test phishing capabilities by sending malicious links designed to deploy malware.
A second set of 250 accounts on Facebook and Instagram linked to another Israeli company called QuaDream was found “engaged in a similar testing activity between their own fake accounts, targeting Android and iOS devices in what we assess to be an attempt to test capabilities to exfiltrate various types of data including messages, images, video and audio files, and geolocation.”
Both Candiru and QuaDream are founded by former employees of NSO Group, a controversial cyber intelligence firm that has come under fire for selling its invasive technology, Pegasus, to governments with poor human rights records.
What’s more, Meta said it removed more than 5,000 accounts belonging to companies such as Social Links, Cyber Globes, Avalanche, and an unattributed entity in China that used the fraudulent accounts to scrape publicly available information and market “web intelligence services.”
Nearly 3,700 of those Facebook and Instagram accounts were linked to Social Links, with the China-based network of 900 accounts targeting military personnel, activists, government employees, politicians, and journalists in Myanmar, India, Taiwan, the U.S., and China.
Besides relying on fake accounts, spyware vendors have also been caught relying on other legitimate tools to conceal their origin and conduct malicious activities. One such example is the Indian hack-for-hire firm CyberRoot, which utilized a marketing solution known as Branch to create, manage, and track phishing links.
Nearly 3,700 of those Facebook and Instagram accounts were attributed to Social Links, with the China-based network of 900 accounts targeting military personnel, activists, government employees, politicians, and journalists in Myanmar, India, Taiwan, the U.S., and China.
CyberRoot has also been estimated to operate over 40 fictitious accounts that impersonated journalists, business executives, and media personalities to gain the trust of targets and send phishing links spoofing services like Gmail, Zoom, Facebook, Dropbox, Yahoo, OneDrive, and Outlook to steal their credentials.
Law firms, cosmetic surgery clinics, real estate companies, investment and private equity firms, pharmaceuticals, media houses, activist groups, and gambling entities are believed to have been targeted by the mercenary actor.
CyberRoot is the second Indian surveillance-for-hire firm to come under the radar after BellTroX, whose accounts were flagged and disbanded by the company in 2021. Coincidentally, it’s also said to have been assisted by BellTroX in the past.
“These companies are part of a sprawling industry that provides intrusive software tools and surveillance services indiscriminately to any customer — regardless of who they target or the human rights abuses they might enable,” Meta said.
“In a sense, this industry ‘democratizes’ these threats, making them available to government and non-government groups that otherwise wouldn’t have these capabilities to cause harm.”