Sprawling Iranian influence operation globalizes tech's war on disinformation
Iran was behind a sprawling disinformation operation on Facebook that targeted hundreds of thousands of people around the world, the social media company said Tuesday night, underscoring Silicon Valley's increasingly global war on disinformation.
The Iranian effort dated to 2011 and had ties to state media operations in that country, Facebook said, involving hundreds of accounts on both Facebook and its sister site, Instagram. It also spread to Twitter and YouTube, which both companies said they also removed. The fake Iranian accounts bought ads on Facebook and used it to organize events.
Facebook also deleted some unrelated fake accounts originating in Russia, which which has been the main focus of reporting on disinformation operations targeting the United States. Tuesday night's revelations were unusual because the disinformation targeted people in many countries -- the Middle East, Latin America, the U.K. and the U.S., Facebook said -- and involved a nation-state actor other than Russia.
Facebook officials said their actions showed that they are moving more aggressively than in 2016, when the company was widely criticized for not more effectively detecting and combating disinformation on its service.
"As I've said before, security is not something that you ever fully solve," Facebook chief executive Mark Zuckerberg said on a call with reporters. "Our adversaries are sophisticated and well-funded but the shift we have made from reactive to proactive detection is a big change and is going to make Facebook safer over time."
On the heels of Facebook's revelations Tuesday evening, Twitter also said that the company had removed 284 accounts for engaging in "coordinated manipulation." Twitter said the accounts also appeared to originate from Iran. YouTube, which belongs to Google, removed at least one account tied to Iran, Google said.
The revelations demonstrated how the production of disinformation has become a global endeavor that involves multiple governments and shadowy actors who use sophisticated methods to mask their identities and locations. A recent report from the Oxford Internet Institute, a research lab associated with Oxford University, found active organized disinformation campaigns taking place on social media in 48 countries, up from 28 in 2017.
"I've been saying for months that there's no way the problem of social media manipulation is limited to a single troll farm in St. Petersburg, and that fact is now beyond a doubt," said Sen. Mark Warner, Va., the top Democrat on the Senate Intelligence Committee.
Facebook said the revelations emerged from a tip received in July from cybersecurity firm FireEye, and from internal investigations.
The company said it had worked closely with law enforcement in both the U.S. in the U.K. on the investigation, and had briefed the Treasury Department and the State Department, because the U.S has sanctions on Iran.
Facebook officials described a multi-part investigation, starting with FireEye's tip in July that an entity called the "Liberty Front Press" led to connections with Iranian state media dating back as long as seven years ago. Overall this group had 147 pages, accounts and groups on Facebook and 76 on Instagram, reaching more than 200,000 followers while buying more than $6,000 of ads and organizing three events.
The discovery appears to be one of the first publicly documented instances of an Iranian influence conducted through U.S. social media, said Lee Foster, FireEye manager of information operations analysis.
"It's significant in that it shows it's not just Russia that's engaged in this activity," Foster said. "This demonstrates that there are other actors out there who appear to see value in engaging in such activity to shape political discourse."
A different set of accounts, which was unrelated to the Iranian accounts, were tied to Russian military intelligence, the company said. A third group, who Facebook didn't identify, was sharing information about Middle East politics in Arabic and Farsi.
The narratives these groups promoted included anti-Saudi, anti-Israeli, and pro-Palestinian themes, as well as support for specific U.S. policies favorable to Iran, such as the U.S.-Iran nuclear deal, according to a blog post by FireEye. The FireEye post also said that it had identified Twitter accounts directly affiliated with the Facebook pages that were linked to phone numbers with the +98 Iranian country code.
"These were distinct campaigns and we have not identified any link or coordination between them," Facebook said in a blog post. "However, they used similar tactics by creating networks of accounts to mislead others about who they were and what they were doing."
Facebook traced the groups using a variety of forensic methods, including searching publicly available website registration information, and tracking IP addresses and Facebook pages sharing the same administrators.
The new revelations frustrated some members of Congress, who have been urging both the Trump administration and the tech industry to take more decisive and swift steps to thwart Russia and others from spreading disinformation online. Facebook, Twitter and Google are expected to testify at a September 5 hearing in the Senate focused on foreign interference in U.S. politics and social media.
Earlier Tuesday, lawmakers heard from members of the intelligence community who warned that not only Russia but other countries, like Iran and North Korea, remain cybersecurity threats.
"Russia, China, Iran, and North Korea will pose the greatest cyber threats to the U.S. during the next year," said Michael Moss, the deputy director of the Cyber Threat Intelligence Integration Center, an entity within the Office of the Director of National Intelligence. His comments came in prepared remarks submitted to the Senate Judiciary Committee.
Moss also told lawmakers that "Tehran probably views cyberattacks as a versatile tool to respond to perceived provocations, despite Iran's recent restraint from conducting cyber attacks against the U.S. or Western allies."
Facebook was a major target of Russian disinformation in 2016, hosting 470 pages and accounts that the company later discovered were created by the Internet Research Agency, in St. Petersburg. The agency bought thousands of ads targeting Americans, often with rubles, and created posts that reached 126 million Americans, frequently with divisive messages.
More recently, the company also took down 32 pages and accounts last month that reached 290,000 people with ads, events and regular posts on topics such as race, fascism and feminism. Those accounts were mainly critical of Donald Trump, which differed from 2016, when Russian disinformation messaging focused on bolstering his candidacy and undermining his Democratic rival, Hillary Clinton.
The moves were among several steps taken by technology companies ahead of the coming congressional midterm elections, which U.S. officials and independent experts have said are a major target for Russian disinformation. The crop of pages that were removed on Tuesday did not relate to the midterms, but Facebook executives said they were remaining vigilant.
Microsoft announced this week that it had taken down six websites created by notorious Russian hacker group APT28 - also known as Fancy Bear - and that two of the sites were designed to mimic ones from two Washington think tanks that have been critical of Russia, the International Republican Institute and the Hudson Institute. Microsoft also has said that two political candidates had been subjected to spear-phishing attacks.
"We get that 2018 is a very important election year so this is really serious, and this is a top priority," said Zuckerberg. "We are taking a lot of steps to make sure we do what we need to here."
This article was written by Tony Romm, Craig Timberg, Ellen Nakashima and Elizabeth Dwoskin, reporters for The Washington Post.