Facebook Cracks Down on Spyware Vendors from U.S., China, Russia, Israel, and India

Meta Platforms disclosed that it took down no less than 200
covert influence operations since 2017 spanning roughly 70
countries across 42 languages.

The social media conglomerate also took steps to disable
accounts and block infrastructure operated by spyware vendors,
including in China, Russia, Israel, the U.S. and India, that
targeted individuals in about 200 countries.

“The global surveillance-for-hire industry continues to grow and
indiscriminately target people – including journalists, activists,
litigants, and political opposition – to collect intelligence,
manipulate and compromise their devices and accounts across the
internet,” the company noted^[1]
in a report published last week.

The networks that were found to engage in coordinated
inauthentic behavior (CIB^[2]) originated from 68
countries. More than 100 nations are said to have been targeted by
at least one such network, either foreign or domestic.

With 34 operations, the U.S. emerged as the most frequently
targeted nation during the five-year period, followed by Ukraine
(20) and the U.K. (16).

The top three geographic sources of CIB networks during the same
timeframe were Russia (34), Iran (29), and Mexico (13). On top of
that, an Iranian network disrupted by Meta in April 2020 focused on
18 countries at a time, indicating the scope of foreign
interference in these campaigns.

“Notably, both our first takedown and our 200th takedown were of
CIB networks originating from Russia,” Meta’s Ben Nimmo and David
Agranovich said. “The latter takedown targeted Ukraine and other
countries in Europe.”

The activity, the details of which the company first disclosed^[3]
in September 2022, has since been attributed as the work of two
companies, Structura National Technologies and Social Design Agency
(Агентство Социального Проектирования), located in the country.

That said, CIB networks run across the world have often been
found targeting people in their own country, not to mention have a
cross-platform presence that go beyond Facebook and Instagram to
encompass Twitter, Telegram, TikTok, Blogspot, YouTube,
Odnoklassniki, VKontakte, Change[.]org, Avaaz, and LiveJournal.

Meta further highlighted a “rapid rise” in the use of profile
pictures created through artificial intelligence techniques like
generative adversarial networks (GAN^[4]) since 2019 in a bid to
pass off rogue accounts as more authentic and evade detection.

Tackling Platform Abuse by Spyware
Entities

In a related report on surveillance-for-hire operations, the
Menlo Park-based company said it removed a network of 130 accounts
created by an Israeli company named Candiru^[5]
that used these fake accounts to test phishing capabilities by
sending malicious links designed to deploy malware.

A second set of 250 accounts on Facebook and Instagram linked to
another Israeli company called QuaDream^[6]
was found “engaged in a similar testing activity between their own
fake accounts, targeting Android and iOS devices in what we assess
to be an attempt to test capabilities to exfiltrate various types
of data including messages, images, video and audio files, and
geolocation.”

Both Candiru and QuaDream are founded by former employees of
NSO Group^[7], a controversial cyber
intelligence firm that has come under fire for selling its invasive
technology, Pegasus, to governments with poor human rights
records.

What’s more, Meta said it removed more than 5,000 accounts
belonging to companies such as Social Links, Cyber Globes,
Avalanche, and an unattributed entity in China that used the
fraudulent accounts to scrape publicly available
information^[8] and market “web
intelligence services.”

Nearly 3,700 of those Facebook and Instagram accounts were
linked to Social Links, with the China-based network of 900
accounts targeting military personnel, activists, government
employees, politicians, and journalists in Myanmar, India, Taiwan,
the U.S., and China.

Besides relying on fake accounts, spyware vendors have also been
caught relying on other legitimate tools to conceal their origin
and conduct malicious activities. One such example is the Indian
hack-for-hire firm CyberRoot^[9], which utilized a
marketing solution known as Branch to create, manage, and track
phishing links.

Nearly 3,700 of those Facebook and Instagram accounts were
attributed to Social Links, with the China-based network of 900
accounts targeting military personnel, activists, government
employees, politicians, and journalists in Myanmar, India, Taiwan,
the U.S., and China.

CyberRoot^[10] has also been estimated
to operate over 40 fictitious accounts that impersonated
journalists, business executives, and media personalities to gain
the trust of targets and send phishing links spoofing services like
Gmail, Zoom, Facebook, Dropbox, Yahoo, OneDrive, and Outlook to
steal their credentials.

Law firms, cosmetic surgery clinics, real estate companies,
investment and private equity firms, pharmaceuticals, media houses,
activist groups, and gambling entities are believed to have been
targeted by the mercenary actor.

CyberRoot is the second Indian surveillance-for-hire firm to
come under the radar after BellTroX^[11], whose accounts were
flagged and disbanded by the company in 2021. Coincidentally, it’s
also said to have been assisted^[12] by BellTroX in the
past.

“These companies are part of a sprawling industry that provides
intrusive software tools and surveillance services indiscriminately
to any customer — regardless of who they target or the human rights
abuses they might enable,” Meta said.

“In a sense, this industry ‘democratizes’ these threats, making
them available to government and non-government groups that
otherwise wouldn’t have these capabilities to cause harm.”