The group based in Bangladesh targeted local activists, journalists and religious minorities, including some living abroad, compromising their accounts in efforts to have them disabled by Facebook for violating its community standards.

Facebook’s investigation linked the activity to two nonprofits organizations in the country: the Crime Research and Analysis Foundation and Don’s Team (also known as Defense of Nation).

Head of security policy Nathaniel Gleicher and cyber threat intelligence manager Mike Dvilyanski explained in a Newsroom post, “Don’s Team and CRAF collaborated to report people on Facebook for fictitious violations of our community standards, including alleged impersonation, intellectual property infringements, nudity and terrorism. They also hacked people’s accounts and pages and used some of these compromised accounts for their own operational purposes, including to amplify their content. On at least one occasion, after a page administrator’s account was compromised, they removed the remaining admins to take over and disable the page. Our investigation suggests that these targeted hacking attempts were likely carried out through a number of off-platform tactics, including email and device compromise and abuse of our account recovery process.”

In Vietnam, Facebook found that APT32, an advanced persistent threat actor, used malware to target Vietnamese human rights activists (locally and abroad), foreign governments (including those of Cambodia and Laos), non-governmental organizations, news agencies and businesses across information technology, hospitality, agriculture/commodities, hospitals, retail, automotive and mobile services.

The group also lured targets to download Android applications via the Google Play Store, and those apps contained a wide range of permissions, enabling broad surveillance of peoples’ devices.

Gleicher and Dvilyanski explained, “APT32 created fictitious personas across the internet posing as activists and business entities, or used romantic lures when contacting people they targeted. These efforts often involved creating backstops for these fake personas and fake organizations on other internet services so they appear more legitimate and can withstand scrutiny, including by security researchers. Some of its pages were designed to lure particular followers for later phishing and malware targeting.”