Columns

Facebook Traces 'Coordinated Inauthentic Behavior' Offenders to Iran, Russia

(AP Photo/Wilfredo Lee)

Facebook announced today that it removed 652 pages, groups and accounts on the social media site and on Instagram “for coordinated inauthentic behavior” traced back to Iran and Russia.

The company said there wasn’t a link found between the two countries’ campaigns, but they “used similar tactics by creating networks of accounts to mislead others about who they were and what they were doing.”

Cybersecurity firm FireEye tipped off Facebook last month about pages for “Liberty Front Press,” which consisted of front accounts for Iranian state media, and amassed some 155,000 followers and spending $6,000 in ads. Sample posts included pro-Brexit content and a meme of Michelle Obama holding a sign that said “an immigrant took my job.”

This was linked to another set of pages and accounts that “engaged in traditional cybersecurity attacks, including attempts to hack people’s accounts and spread malware.” That second effort “typically posed as news organizations and didn’t reveal their true identity,” and had about 15,000 followers.

A third part of the investigation consisted of a group of 168 pages and 140 accounts on Facebook as well as 31 Instagram accounts that shared content about Middle East politics in Arabic and Farsi as well as U.S. and UK political news in English. “We first discovered this set in August 2017 and expanded our investigation in July 2018 as we stepped up our efforts ahead of the US midterm elections,” wrote Nathaniel Gleicher, head of cybersecurity policy at Facebook.

This group had more than 800,000 followers and hosted 25 events. Sample content included a post about Steve Bannon encouraging the ouster of British Prime Minister Theresa May.

“We’re still investigating, and we have shared what we know with the U.S. and UK governments. Since there are U.S. sanctions involving Iran, we’ve also briefed the U.S. Treasury and State Departments,” Gleicher said. “…We’ve removed pages, groups and accounts that can be linked to sources the U.S. government has previously identified as Russian military intelligence services. This is unrelated to the activities we found in Iran. While these are some of the same bad actors we removed for cybersecurity attacks before the 2016 US election, this more recent activity focused on politics in Syria and Ukraine.”

Facebook declined to share more information about what they removed, citing sensitive ongoing investigations.

FireEye said the “significant” activity they uncovered pushed narratives including “anti-Saudi, anti-Israeli, and pro-Palestinian themes, as well as support for specific U.S. policies favorable to Iran, such as the U.S.-Iran nuclear deal (JCPOA).”

“We have observed inauthentic social media personas, masquerading as American liberals supportive of U.S. Senator Bernie Sanders, heavily promoting Quds Day, a holiday established by Iran in 1979 to express support for Palestinians and opposition to Israel,” added the cybersecurity company. “We limit our assessment regarding Iranian origins to moderate confidence because influence operations, by their very nature, are intended to deceive by mimicking legitimate online activity as closely as possible. While highly unlikely given the evidence we have identified, some possibility nonetheless remains that the activity could originate from elsewhere, was designed for alternative purposes, or includes some small percentage of authentic online behavior.”