We hack Facebook: State-sponsored cybercrime in Bangladesh

Bangladesh’s military intelligence agency, the Directorate General of Forces Intelligence (DGFI), has established a sophisticated operation which secretly hacks the Facebook pages and profiles of opposition groups, political dissidents, student activists and journalists in apparent contravention of the country’s cybersecurity law.

Whistleblowers, who work as civilian contractors for the DGFI, provided Netra News with testimony and documentary evidence on how two special units within the agency — the Signal Intelligence Bureau (SIB) and the Public Relations Monitoring Cell (PRMC) — are engaged in hacking and other cybercrimes. Both these units rely on civilian contractors for “offensive cyber action” and are overseen by ranking military officers.

“We hack Facebook and [engage in other cybercrimes]. [DGFI handlers] set the target, we take action,” one of the whistleblowers told a Netra News editor. “Tough jobs are assigned to a team with access to sophisticated technology.”

The whistleblowers’ claims are backed by recent comments from the Bangladeshi telecom and ICT minister himself, who boasted during a live interview with a TV reporter that hackers working for the government are monitoring and hacking political dissidents’ Facebook profiles.

“This girl will be in trouble”

The DGFI’s involvement in hacking and other cyber crimes has long been suspected but detailed evidence of this activity came to Netra News recently when the student organisation Swatantra Jote invited Tasneem Khalil, the editor-in-chief of Netra News, to join its leader Auroni Semonti Khan in a discussion focusing on the Covid-19 epidemic and censorship in Bangladesh.

The discussion was slated to be broadcast live from the organisation’s official Facebook page on May 13th. A few hours before the Facebook Live, Khalil was alerted by an insider about a plan by the military intelligence agency’s Public Relations Monitoring Cell (PRMC) to disrupt the discussion.

“This girl will be in trouble,” the insider wrote to Khalil, and attached a screenshot of a Facebook post in which Semonti Khan was publicising her planned discussion with the journalist. The insider also told the editor-in-chief of Netra News that the DGFI considers him a “persona non grata” and anyone in Bangladesh who wants to host a Facebook Live with him will be subjected to coercive measures (major steps taken by the agency in escalating situations).

As part of the PRMC plan, online trolls were instructed by their handlers to swarm to Swatantra Jote’s official Facebook page and “take it down” with fake abuse reports. In an audio clip provided to Netra News by one of the whistleblowers, an individual can be heard saying, “Everyone must file abuse reports [to Facebook] under whatever categories — fake, violence — there are, apply everything.”

Following such mass-reporting by PRMC trolls, Facebook imposed restrictions on Swatantra Jote’s page. As administrators of the page were informed through a service notice, “Limits have been placed on [the page]. Stories from your page are not being shown in news feed.”

The trolls also flooded the page with abusive comments from hundreds of bot accounts (fake social media accounts used for automated comments and messaging).

The whistleblowers told Netra News that this is routine work for the PRMC’s online troll army. Civilian contractors, who maintain thousands of fake pages and accounts on Facebook, receive daily instructions on spreadsheets containing URLs of specific posts, pages and profiles to target. Most of these targets are critical journalists, political dissidents, and opposition figures.

“There is clear [division of labour] between teams,” one of the whistleblowers, who works as a PRMC troll, told Netra News. “This team does copyright, this team does violence, this team does comments, this team does accounts disabling.”

However, sophisticated hacking of a high-value target’s Facebook account or page is outside the remit of the PRMC and its troll army. Such tasks are handled by a special team of hackers who work for the Signal Intelligence Bureau (SIB) as civilian contractors. These hackers operate out of the DGFI headquarters inside the Dhaka Cantonment.

Netra News was provided with evidence indicating that the SIB was behind the hacking of the writer Pinaki Bhattacharya’s Facebook account in September 2018 (while he was in Bangladesh) and the hijacking of Swatantra Jote’s Facebook page in May 2020.

“Get all the Bhattacharyas”

The writer Pinaki Bhattacharya, according to the whistleblowers, has long been considered a high-value target by the DGFI, for his caustic criticism of the Awami League government. He is one of the select individuals whose Facebook profile is closely monitored by the PRMC on a “24/7 365 days” basis. The agency has also tried to muzzle his Facebook account by employing all the tools at its disposal including putting him under physical surveillance for months and asking him to appear at its headquarters for questioning. Bhattacharya left Bangladesh for exile in France in 2019.

Netra News was given a clip in which an individual boasts about the kind of access their team at the SIB has: “Take Pinaki Bhattacharya. Sirs [DGFI officers] tried everything, RAB tried. They even contacted Facebook citing a national security ground, but Facebook said there is no national security ground. [Facebook] would not give any personal information. […] Then they [DGFI officers] said if needed get all the Bhattacharyas from the national ID card database […] If we need [personal details of a target], we can [tap into that kind of source of] information.”

SIB hackers were finally able to hack Bhattacharya’s Facebook account in September 2018 by intercepting a two-factor verification code sent to his phone number. The whistleblowers told Netra News that only the “elite team” at the SIB has access to sophisticated technology which enables the hackers to intercept SMS messages containing verification codes for services like Facebook and WhatsApp. One of the whistleblowers said “it is very likely but not sure” that the SIB has direct access to the interception infrastructure at the National Telecommunication Monitoring Center (NTMC).

Coercive measure

According to details provided by the whistleblowers, and research by an independent forensic investigator who helped Netra News investigate the case, Swatantra Jote’s Facebook page was hijacked on May 13th after SIB hackers were able to hack into one of its administrator’s personal accounts by intercepting their two-factor verification SMS. This coercive measure was taken because the PRMC troll army could not deter the organisation from hosting the planned Facebook Live discussion between Auroni Semoti Khan and Tasneem Khalil.

One of the whistleblowers told a Netra News editor that SIB hackers maintain a “collection of hacked accounts” that they use for high-value hacking operations. These Facebook accounts belong to “regular people” who use easy-to-guess passwords. Once hacked, names on these accounts are often changed to well-known opposition figures, though the whistleblowers could not explain the exact reason for the name changes. One of the benefits of using such a hacked account, instead of registering a new account, is that these “regular people” accounts already have a large friends’ list and a history — which also beats Facebook’s automated system of weeding out fake accounts.

Based on some technical details provided by a member of Swatantra Jote, an independent forensic investigator reconstructed the hacking and hijacking of the organisation’s page. According to this reconstruction, the hackers first took control of the personal account of one of the administrators of the Facebook page. They then relegated all the other administrators and editors of the page to the role of “advertiser” and added a new administrator and a new editor to the page. At least one of these two accounts — which is now named after a controversial BNP activist — belonged to a regular Facebook user who lost his account a few weeks back.

With the help of the forensic investigator, Netra News was able to track down this Facebook user in Comilla. The user, who is a businessman, told a Netra News reporter that his Facebook account was suddenly taken over by someone in early or mid April. As he could not access his account anymore, he registered a new account and moved on. He also does not know anything about Swatantra Jote, the organisation or its leaders.

On May 14th, Swatantra Jote held an online press conference and issued a press release condemning the “cyber attack” it was subjected to. A general diary (GD) has also been filed with the Boalkhali Police Station in Chittagong by a leader of the organisation in connection to this hacking incident.

After Swatantra Jote lost control of its page, Auroni Semonti Khan hosted the Facebook Live with Tasneem Khalil from her own Facebook profile in the evening of May 13th.

“Our boys and girls”

The government’s involvement in hacking is confirmed in a recent TV interview given by the Bangladeshi telecom and ICT minister, Mustafa Jabbar. The interview, broadcast live by Somoy News on April 3rd 2020, centered on actions taken by the Bangladeshi government against journalists and political dissidents (described as “conspirators” and “rumour mongers”) who criticise the government on Facebook.

“[Facebook] gives excuses in the name of so-called freedom of expression and other [rights], for which we face some inconveniences. However, we can also say that while Facebook acts as the authority, our boys and girls can identify who is doing what and take action against them without [any help from] this authority — we have been able to hack or terminate their [Facebook] IDs. It is a matter of pleasure,” the minister told a Somoy News reporter. “The people can rest assured that our team that is working, including the law enforcement agency, is extremely cautious, efficient, and technologically resourceful.”

During the interview, Somoy News showed screenshots of the Facebook profiles of two dissidents in exile and a journalist: Pinaki Bhattacharya (writer, in exile in France), Meer Zahan (former DGFI officer, in exile in France), and the Swedish-Bangladeshi journalist Tasneem Khalil (editor-in-chief of Netra News).

Pinaki Bhattacharya told Netra News that his Facebook account has been hacked thrice: on September 13th 2018, March 30th 2020, and April 2nd 2020 (the day before the interview was broadcast). Meer Zahan said his Facebook account has not been hacked in recent times. There is no indication that Tasneem Khalil’s verified Facebook profile was compromised in any way in recent years.

“Hacking related offence and punishment”

While Bangladesh’s telecom and ICT minister himself boasts about state-sponsored hacking during a live TV interview and the military intelligence agency targets dissidents, journalists and student groups for cyber attacks, hacking remains a punishable offence according to the country’s controversial cybersecurity law: the Digital Security Act of 2018.

Article 34 of the act, which is often touted by its proponents as an “anti-hacking law”, reads: “if a person commits hacking then it will be considered an offence and for this he will be sentenced to a term of imprisonment not exceeding 14 (fourteen) years or with fine not exceeding Taka 1 (one) crore or with both.”

The act also sets out specific punishments for other cyber crimes including “collecting, using identity information without permission”; “identity fraud or being in disguise”; “publishing, sending offensive, false or fear inducing data-information etc.”

According to a Bangladeshi jurist consulted by Netra News, the law does not make any exception nor does it indemnify government officials, military officers and civilian contractors who engage in hacking and other cyber crimes.

“I did not talk to any such reporter”

When Netra News contacted Mustafa Jabbar for his comment, he initially agreed to talk to Tasneem Khalil, the editor-in-chief of Netra News. In a recorded telephone conversation, Khalil asked him about the Somoy News interview and the claims about state-sponsored hackers hacking people’s Facebook accounts. Jabbar, the minister, immediately denied making any such statements.

Mustafa Jabbar: What? People working for the government are hacking IDs?

Tasneem Khalil: Yes, let me read the exact quote to you. You were telling the reporter Shuvo Khan…

Mustafa Jabbar: I did not talk to any such reporter.

Tasneem Khalil: Did you not talk to a Somoy News reporter? At your home, [broadcast] live?

Mustafa Jabbar: Did not talk.

Tasneem Khalil: I see. We actually have a video clip of the interview they broadcasted, where you are saying, “our boys and girls can identify who is doing what and take action against them without any help from this authority, we have been able to hack or terminate their IDs.” This…

Mustafa Jabbar: These things [inaudible] Somoy News interviews will be available with Somoy News. I do not wish to talk to you.

After a brief cross-talk, Mustafa Jabbar disconnected the call.

Response by Facebook

Netra News asked Facebook for its comment and received this response from a spokesperson: “We are committed to safeguarding the integrity of our services and take action on any attempt to gain unauthorized access to user accounts. We are working to secure [the Swatantra Jote page], and we encourage people to strengthen their security by turning on app-based two-factor authentication and alerts for unrecognized logins.”

“Not in my knowledge”

Netra News tried but could not reach the DGFI officers — both brigadier generals — in charge of the SIB and the PRMC. A DGFI staffer who received a call to its headquarters said “it was not in [his] knowledge” who could we talk to for an official comment about this story.

Auroni Semonti Khan of Swatantra Jote declined to comment.●