Facebook on Tuesday said it had taken steps to disrupt a group of hackers based in Pakistan that had been using the platform to target former members of the Afghan government and others based in Afghanistan amid the government collapse earlier this year.
In a blog post, Facebook officials noted that the company had disabled accounts and blocked domains linked to a Pakistani hacking group known as “SideCopy” that was found to have been targeting Afghan individuals, particularly those linked to the former government and to military and law enforcement in Kabul. The attackers posed as fake young women online in an attempt to trick targets into clicking on malicious links or downloads.
Facebook, which recently rebranded as Meta, blocked the group in August amid the emergency American pullout from Afghanistan as the Taliban advanced on Kabul, with Facebook also rolling out security measures at the time to help protect the accounts of Afghan users.
Mike Dvilyanski, the head of Cyber Espionage Investigations at Facebook and David Agranovich, Facebook’s director of Threat Disruption, wrote in the blog post that the effort had “the hallmarks of a well-resourced and persistent operation while obfuscating who’s behind it.”
“Given the ongoing crisis and the government collapse at the time, we moved quickly to complete the investigation and take action to protect people on our platform, share our findings with industry peers, law enforcement and researchers, and alert those who we believe were targeted,” Dvilyanski and Agranovich wrote.
Additionally, Facebook on Tuesday also announced it had blocked three hacking groups linked to the Syrian government and specifically Syria’s Air Force Intelligence. The groups were found to be targeting human rights activists, journalists, and others who opposed the Syrian government, along with those who had joined opposition military forces and minority groups.
The Syrian-based groups used tactics including phishing to try to steal Facebook logins, social engineering tactics posing as legitimate websites, and malware to steal sensitive data.
“Our teams routinely disrupt adversary operations by disabling them, notifying users if they should take steps to protect their accounts, sharing our findings publicly and continuing to improve the security of our products,” Dvilyanski and Agranovich wrote.
Facebook has previously taken steps to disrupt networks of accounts tied to Iranian hackers targeting U.S. military personnel, along with earlier this year removing over 1,100 accounts tied to spreading deceptive content around the world.