The Washington PostDemocracy Dies in Darkness

Sprawling Iranian influence operation globalizes tech’s war on disinformation

(Jason Alden/Bloomberg News)

Iran was behind a sprawling disinformation operation on Facebook that targeted hundreds of thousands of people around the world, the social media company said Tuesday night, underscoring Silicon Valley’s increasingly global war on disinformation.

The Iranian effort dated to 2011 and had ties to state media operations in that country, Facebook said, involving hundreds of accounts on both Facebook and its sister site, Instagram. The effort also spread to Twitter and YouTube, with accounts that both companies said they also removed. The fake Iranian accounts bought ads on Facebook and used it to organize events.

Facebook also deleted some unrelated fake accounts originating in Russia, which has been the main focus of reporting on disinformation operations targeting the United States. Tuesday night’s revelations were unusual, because the disinformation targeted people in many countries — in the Middle East and Latin America, as well as Britain and the United States, Facebook said — and involved a nation-state actor other than Russia.

Facebook officials said their actions showed that they are moving more aggressively than in 2016, when the company was widely criticized for not more effectively detecting and combating disinformation on its service.

“As I’ve said before, security is not something that you ever fully solve,” Facebook chief executive Mark Zuckerberg said on a call with reporters. “Our adversaries are sophisticated and well-funded, but the shift we have made from reactive to proactive detection is a big change and is going to make Facebook safer over time.”

‘Too easy to manipulate’: Russian disinformation finally costs Facebook and Twitter

On the heels of Facebook’s revelations Tuesday evening, Twitter said it had removed 284 accounts for engaging in “coordinated manipulation.” Twitter said the accounts also appeared to originate from Iran. YouTube, which belongs to Google, removed at least one account tied to Iran, Google said.

The revelations demonstrated how the production of disinformation has become a global endeavor that involves multiple governments and shadowy actors who use sophisticated methods to mask their identities and locations. A recent report from the Oxford Internet Institute, a research lab associated with Oxford University, found active organized disinformation campaigns taking place on social media in 48 countries, up from 28 in 2017.

“I’ve been saying for months that there’s no way the problem of social media manipulation is limited to a single troll farm in St. Petersburg, and that fact is now beyond a doubt,” said Sen. Mark R. Warner (Va.), the top Democrat on the Senate Intelligence Committee.

Facebook said the revelations emerged from a tip received in July from cybersecurity firm FireEye and from internal investigations.

Facebook said it worked closely with law enforcement in both the United States and Britain on the investigation. It said it briefed the Treasury Department and the State Department, because the United States has sanctions on Iran.

Facebook officials described a multipart investigation, starting with FireEye’s tip in July that an entity called the “Liberty Front Press” led to connections with Iranian state media dating back as long as seven years ago. Overall, this group had 147 pages, accounts and groups on Facebook and 76 on Instagram, reaching more than 200,000 followers while buying more than $6,000 worth of ads and organizing three events.

The discovery appears to be one of the first publicly documented instances of an Iranian influence campaign conducted through U.S. social media, said Lee Foster, FireEye manager of information operations analysis.

“It’s significant in that it shows it’s not just Russia that’s engaged in this activity,” Foster said. “This demonstrates that there are other actors out there who appear to see value in engaging in such activity to shape political discourse.”

A different set of accounts, unrelated to the Iranian accounts, was tied to Russian military intelligence, the company said. A third group, which Facebook didn’t identify, was sharing information about Middle East politics in Arabic and Farsi.

The narratives these groups promoted included anti-Saudi, anti-Israeli and pro-Palestinian themes, as well as support for specific U.S. policies favorable to Iran, such as the U.S.-Iran nuclear deal, according to a blog post by FireEye. The FireEye post also said it had identified Twitter accounts directly affiliated with the Facebook pages that were linked to phone numbers with the +98 Iranian country code.

“These were distinct campaigns and we have not identified any link or coordination between them,” Facebook said in a blog post. “However, they used similar tactics by creating networks of accounts to mislead others about who they were and what they were doing.”

Facebook traced the groups using a variety of forensic methods, including searching publicly available website registration information, and tracking IP addresses and Facebook pages sharing the same administrators.

The new revelations frustrated some members of Congress, who have been urging both the Trump administration and the tech industry to take more decisive and swift steps to thwart Russia and others from spreading disinformation online. Facebook, Twitter and Google are expected to testify at a Sept. 5 Senate hearing focused on foreign interference in U.S. politics and social media.

Earlier Tuesday, lawmakers heard from members of the intelligence community who warned that not only Russia but also other countries, such as Iran and North Korea, remain cybersecurity threats.

“Russia, China, Iran, and North Korea will pose the greatest cyber threats to the U.S. during the next year,” said Michael Moss, deputy director of the Cyber Threat Intelligence Integration Center, an entity within the Office of the Director of National Intelligence. His comments came in prepared remarks submitted to the Senate Judiciary Committee.

Moss also told lawmakers that “Tehran probably views cyberattacks as a versatile tool to respond to perceived provocations, despite Iran’s recent restraint from conducting cyberattacks against the U.S. or Western allies.”

Facebook says it has uncovered a coordinated disinformation operation ahead of the 2018 midterm elections

Facebook was a major target of Russian disinformation in 2016, hosting 470 pages and accounts that the company later discovered were created by the Internet Research Agency in St. Petersburg. The agency bought thousands of ads targeting Americans, often with rubles, and created posts that reached 126 million Americans, frequently with divisive messages.

More recently, the company also took down 32 pages and accounts last month that reached 290,000 people with ads, events and regular posts on topics such as race, fascism and feminism. Those accounts were mainly critical of President Trump, which differed from 2016, when Russian disinformation messaging focused on bolstering his candidacy and undermining his Democratic rival, Hillary Clinton.

The moves were among several steps taken by technology companies ahead of the coming congressional midterm elections, which U.S. officials and independent experts have said are a major target for Russian disinformation. The crop of pages that were removed on Tuesday did not relate to the midterms, but Facebook executives said they were remaining vigilant.

Microsoft announced this week that it had taken down six websites created by notorious Russian hacker group APT28 — also known as Fancy Bear — and that two of the sites were designed to mimic ones from two Washington think tanks that have been critical of Russia, the International Republican Institute and the Hudson Institute. Microsoft also has said that two political candidates were subjected to spear-phishing attacks.

“We get that 2018 is a very important election year, so this is really serious, and this is a top priority,” Zuckerberg said. “We are taking a lot of steps to make sure we do what we need to here.”