Day: June 29, 2023

Meta’s oversight board on Thursday ordered the removal of a video posted on Facebook by Cambodian Prime Minister Hun Sen in which he threatened violence against his political opponents and called for an immediate suspension of his accounts.

The ruling, reversing a previous decision, marks the first time the oversight board has instructed Meta to shut down an account run by a government leader, and suggests that the company may be shifting its stance on how it deals with content posted by users who have otherwise enjoyed impunity in what they say on its site.

Hun Sen didn’t immediately comment on the ruling, but called on his social media followers to switch to rival platforms TikTok or Telegram.

The Cambodian leader, who has ruled the country since 1985, has regularly taken to social media to deliver lengthy tirades against his opponents, warning them of consequences if they defy him. Such threats are often acted on by judicial authorities, security forces, and supporters of his ruling Cambodian People’s Party, or CPP.

On Thursday, Meta’s oversight board of independent experts said that in one such speech, live streamed to Facebook in January, Hun Sen ranted about claims that the CPP had stolen votes in prior elections, offering his accusers the choice of “legal action or a club.” 

He warned that he would send thugs to beat them up or arrest them in the middle of the night.

While he did not name the target of his ire, Hun Sen’s “stolen votes” comment was widely viewed as a reference to opposition Candlelight Party Vice President Son Chhay, who was convicted of defamation last year after saying that local commune elections in Cambodia had been marred by irregularities.

Intimidating opponents

Cambodia is preparing to hold a general election on July 23, but observers say that the ballot is likely to be neither free nor fair.

Meta initially reviewed the speech after receiving complaints that it violated Facebook’s guidelines on inciting violence, but decided to leave the content up because of its news value.

However, the company referred the content to its oversight board, saying it had created “tension between our values of safety and voice.”

On further review, the board found that the content had indeed run afoul of Facebook’s guidelines prohibiting incitement, citing “the severity of the violation, Hun Sen’s history of committing human rights violations and intimidating political opponents, as well as his strategic use of social media to amplify such threats.”

The board ordered that the video be removed, and called on Meta to suspend Hun Sen’s Facebook and Instagram accounts for six months.

While the call for the account suspension is non-binding, Meta is obligated to take down the video and issue a statement to the public on its reasons for doing so within 60 days.

‘Finally called out’

Hun Sen has yet to comment on the oversight board’s ruling, but on Thursday, he posted a message to his Facebook page calling on his 14 million followers to switch to the Chinese video platform TikTok for future updates. Hun Sen’s TikTok account, set up on Wednesday, currently has nearly 22,000 followers.

Later, the prime minister wrote on the Dubai-based Telegram messaging app that he had found Telegram “more useful than Facebook” and told his 85,000 followers on the app that he will be posting content there going forward.

“This will allow me to easily communicate with people while I am traveling to countries where Facebook is not permitted,” he said. “I will keep my Facebook account but I will suspend using it so that people can get information from me through Telegram.”

Hun Sen said his newly created TikTok account would allow him “to more easily connect with the youth.”

‘The stakes are high’

Phil Robertson, deputy Asia director for New York-based Human Rights Watch, issued a statement on Thursday dismissing Hun Sen’s reason for leaving Facebook.

“Hun Sen is finally being called out for using social media to incite violence against his opponents, and he apparently doesn’t like it one bit,” he said. 

“That’s the real story about why he’s running away from Facebook, which dared to hold him accountable to their community standards, and into the arms of Telegram, the favored social media messaging system of despots ranging from Russia to Myanmar.”

Robertson said it was high time for tech companies such as Meta to confront world leaders who violate human rights on their platforms.

“The stakes are high because plenty of real world harm is caused when an authoritarian uses social media to incite violence — as we have already seen far too many times in Cambodia,” he said.

Translated by Samean Yun. Edited by Joshua Lipes and Malcolm Foster.

Suspected North Korean hackers are impersonating journalists in emails to target experts on North Korea issues in phishing attacks, a collection of emails obtained by Radio Free Asia showed.

The 12 suspicious emails were forwarded to RFA’s Korean Service by the experts who received them. RFA was not able to confirm the identity of any of the senders of the emails, nor their connection with the North Korean government. 

However, they all exhibit signs that strongly suggest that they were phishing attempts by agents working for Pyongyang in order to gain access to intelligence or to install malware on an expert’s device.  

In March, RFA reported that Google Cloud’s cybersecurity subsidiary firm Mandiant classified a group of hackers using the same or similar methods as a “moderately-sophisticated cyber operator that supports the interests of the North Korean regime,” and named that group, which it had been monitoring since 2018, as APT43. 

In most of the cases RFA compiled, the email comes from an address on a free email platform like gmail or aol, but the sender does enough research into the journalist so as to plausibly pass themselves off as that person.

The apparent hackers attempted to pass themselves off as actual reporters for organizations like Kyodo News, Radio Free Asia, Voice of America (VOA) and others. They asked experts to answer a series of questions or attempted to entice them into clicking malicious links or downloading malicious files.

Information gathering

In one of the 12 emails, the attacker impersonated Shin Jin-woo, a reporter at South Korea’s Dong-A Ilbo newspaper. “Shin” sent a list of specific North Korea policy questions to an expert at the Washington-based Brookings Institution, but used the expert’s email address from a university. The impersonator sent the email from niceshinn@aol.com, which is similar to the real Shin’s niceshin@donga.com address. 

In addition, “Shin” offered the expert US$200 for his comments. It’s not normal practice for reporters to offer sources payment for information.

From: 신 진우 <niceshinn@aol.com>

To: [email redacted]

Sent: Fri, Mar 4, 2022 at 2:57 AM

Subject: Re: [urgent] Interview request form reporter of Dong-A Ilbo, the largest newspaper in Korea

Greetings,

I am Shin Jin-woo, a reporter working for Dong-A Ilbo, the largest newspaper in Korea.

I am the head of the foreign affairs team in the political department. Dong-A Ilbo has the most subscribers in Korea. It is also the oldest media company in Korea in 100 years.

I am sure that this interview is a good opportunity to inform Korean readers of your idea. I know that you are very busy. However, I would appreciate it if you could take a moment to answer. If you answer even some of the questions below, I expect it to be a good opportunity to convey your thoughts to the Korean people. If you do not want to be released your name, we could publish your paper anonymously. We’ll be pleased to offer an honorarium of $200 for your participation.

The questionnaire is as follows. Please reply. thank you.

Best regards.

Jin-woo

The goal of the email was to get the expert to answer specific North Korea policy questions as a means to gather intelligence on how the United States might respond to developments in the region.

The expert initially responded to “Shin,” saying he could answer a few of the questions, and asked him to communicate through his Brookings Institution email address. “Shin” replied with another email saying that he had a new list of questions that could be accessed if the expert clicked a link. 

The link contained malware that could have compromised the expert’s device, allowing “Shin” to gain access to sensitive information.  

Malicious attachment

In another example, an apparent hacker impersonated the friend of a RFA Korean Service reporter, even sending the phishing email to the reporter’s personal email address.

The imposter asked the reporter to download a .zip file containing the malware, claiming it was video of a lecture featuring North Korean escapees.

Translated from Korean:

From: [name redacted] <zak@naver.com>

Date: Tue, Jun 6, 2023, 4:17 AM

Subject: Sir~ it’s [name redacted]^^

To: <[redacted]@gmail.com>

 Sir~ How are you doing?

A friend of mine was in this lecture given by North Korean defectors

It would be great if you could take a look at the lecture agenda and give me some good opinions.

Thanks a bunch^^

 Attachment: North Korean defectors lecture.zip 

The apparent hacker impersonated a real person that the reporter knew, and sent the email from a free email address, from South Korean online service provider Naver, to the reporter’s personal Gmail address.

The email had a very casual tone, complete with the ^^ text emoticon commonly used in Korean text messages to indicate a smiling face.

Falling for it

In one of the earliest examples, RFA Korean Service reporter Han Dukin received an email from a former senior state department official, asking him if he had received the answers to a list of questions that Han had sent to him about a week earlier.

But Han had never sent any questions.

The expert had actually answered the questions asked by Han’s imposter. After no RFA report used his answers, he contacted the real Han to make sure he had received the answers. It was only then that he realized he had been tricked.

Gaining trust

The strategies used in RFA’s collection of suspicious emails is consistent with the typical method used by North Korean hackers as described by Asheer Malhotra, a threat researcher at cybersecurity firm Cisco Talos.

“Once the target starts engaging with them, … they will slowly and slowly begin conversations with you in an effort to establish trust,” said Malhotra. 

“And once you’ve spoken to somebody for a few weeks you’ve exchanged more than a few emails with them, there is an inherent trust that starts building up and they will exploit or leverage that trust to eventually send you a malware sample,” he said.

“And they’ll be like, hey, this is a report. I took your findings, and I compiled it into a document. Can you please open this up and review it for me?”

The emails contain techniques that are similar to those employed by APT43, Michael Barnhart, a senior analyst at Mandiant, told RFA. 

Barnhart said that the goal of the North Korean hackers is not to compromise an entire organization.

“They don’t want to attack RFA or a crypto exchange; they would rather go for the personal accounts because when you do the personal accounts, it [lowers] the level of suspicion,” he said. “If they come for an organization, law enforcement might get involved, whereas if they go for individual people, a lot of times they don’t report that to law enforcement.” 

Translated by Claire Shinyoung Oh Lee and Eugene Whong. Written in English by Eugene Whong and Amanda Weisbrod. Edited by Malcolm Foster.