During the Taliban’s takeover of the country, hackers from Pakistan used Facebook to target persons in Afghanistan with ties to the former government, according to the company’s threat investigators in an interview with Reuters.
According to Facebook, the organization, known as SideCopy in the security industry, posted links to websites harboring spyware that might spy on people’s devices. People associated to the government, military, and law enforcement in Kabul were among the targets, according to the report. SideCopy was taken from Facebook’s platform in August, according to the company.
According to Meta, a social network firm that recently changed its name, the gang constructed fictional personas of young women as “romantic lures” to build trust and fool targets into clicking phishing links or downloading harmful chat apps. It also infiltrated reputable websites in order to trick individuals into handing over their Facebook credentials.
“It’s always tough for us to speculate as to the eventual purpose of the threat actor,” said Mike Dvilyanski, Facebook’s head of cyber espionage investigations. “We don’t know who was compromised or what happened as a result.”
Major online platforms and email providers including Facebook, Twitter Inc, Alphabet Inc’s Google and Microsoft Corp’s LinkedIn have said they took steps to lock down Afghan users’ accounts during the Taliban’s swift takeover of the country this past summer.
Facebook said it had not previously disclosed the hacking campaign, which it said ramped up between April and August, due to safety concerns about its employees in the country and the need for more work to investigate the network. It said it shared information with the U.S. State Department at the time it took down the operation, which it said had appeared “well-resourced and persistent.”
Investigators also said Facebook had last month disabled the accounts of two hacking groups which it linked to Syria’s Air Force Intelligence.
Facebook said one group, known as the Syrian Electronic Army, targeted human rights activists, journalists and others opposing the ruling regime, while the other, known as APT-C-37, targeted people linked to the Free Syrian Army and former military personnel who had joined opposition forces.
Facebook’s head of global threat disruption, David Agranovich, said the Syria and Afghanistan cases showed cyber espionage groups leveraging periods of uncertainty during conflicts when people might be more susceptible to manipulation.
The company said a third hacking network in Syria, which it linked to the Syrian government and removed in October, targeted minority groups, activists and members of the People’s Protection Units (YPG) and Syria Civil Defense, or White Helmets.
It said this group used Facebook for social engineering and sharing malicious links to attacker-controlled sites mimicking apps and updates around the United Nations, White Helmets, YPG, Facebook-owned WhatsApp and Alphabet’s YouTube.
A Facebook spokeswoman said the company had notified about 2,000 users affected by the campaigns in Afghanistan and Syria, the majority in Afghanistan.