Facebook uncovers new global misinformation operations

Facebook has identified and banned hundreds of accounts, groups and pages engaged in misleading political behaviour, a far larger discovery than a “sophisticated” effort it reported three weeks ago with great fanfare.

The social network said Tuesday that it had removed 652 pages, groups, and accounts linked to Russia and, unexpectedly, Iran, for “co-ordinated inauthentic behaviour” that included the sharing of political material.

Facebook has significantly stepped up policing of its platform since last year, when it acknowledged that Russian agents successfully ran political influence operations on its platform that were aimed at swaying the 2016 presidential election. Other social media networks have done likewise, and continue to turn up fresh evidence of political disinformation campaigns.

Facebook’s action in late July against 32 accounts possibly linked to Russia generally involved U.S. political activity ahead of the midterm elections in November. By contrast, the latest group of apparently fake accounts appeared more intent on influencing U.S. foreign policy and regional politics in the Middle East.

Shortly after Facebook’s announcement, Twitter revealed that it had also suspended 284 accounts for “co-ordinated manipulation,” many of them apparently originating from Iran. A day earlier, Microsoft also reported a new Russian effort to impersonate conservative U.S. websites , potentially as part of an espionage campaign.

The social network said it had not concluded its review of the material and declined to say how or why the state-backed actors were behaving the way they did. But it said it has informed the U.S. and U.K. governments as well as the U.S. Treasury and State departments because of ongoing sanctions against Iran.

“There’s a lot we don’t know yet,” CEO Mark Zuckerberg said on a hastily called conference call with reporters Tuesday afternoon.

“You’re going to see people try to abuse the services in every way possible … including now nation states,” he said. He described the deception campaigns as “sophisticated and well-funded efforts that aren’t going to stop.”

FireEye, a cybersecurity firm that alerted Facebook to some of this activity, noted that it “does not appear to have been specifically designed to influence the 2018 U.S. midterm elections, as it extends well beyond U.S. audiences and U.S. politics.”

Facebook said its latest action on Tuesday morning resulted from four investigations — three involving Iran, one involving Russia.

The first focused on a group called “Liberty Front Press” that set up multiple accounts on Facebook and Instagram that were followed by 155,000 other accounts. The group was linked to Iranian state media based on website registrations, IP addresses and administrator accounts, Facebook said. The first accounts were created in 2013 and posted political content about the Middle East, the U.K., and the U.S., although the focus on the West increased starting last year, Facebook said.

“The Iranians are now following the Kremlin’s playbook,” said Virginia Sen. Mark Warner, the top Democrat on the Senate intelligence committee. On Sept. 5, leaders of Facebook, Google and Twitter are scheduled to testify before the intelligence committee about their efforts to combat political disinformation on their social media networks.

FireEye called the Liberty Front Press group an influence operation apparently aimed at promoting Iranian political interests “including anti-Saudi, anti-Israeli, and pro-Palestinian themes” and support for the U.S.-Iran nuclear deal.

President Donald Trump withdrew the U.S. from that agreement earlier this year.

While that group did not appear to be attempting to influence the U.S. midterms, FireEye said its analysis “does not preclude such attempts being made.” Several social media personas it found related to the group masqueraded as liberal U.S. activists who supported Sen. Bernie Sanders. One persona also used the Twitter handle “@berniecratss” and listed its location as the United States even though the phone number associated with it began with Iran’s country code, +98.

The group’s activity included “significant anti-Trump messaging,” but FireEye said in a detailed report “the activity extends well beyond U.S. audiences and U.S. politics.”

The second group also had multiple accounts and 15,000 followers. The group was linked to “Liberty Front Press” and attempted to hack people’s accounts to spread malware. Facebook said it disrupted those attempts.

A third group also operated out of Iran had as many as 813,000 followers, and also shared political content about the Middle East, the U.K. and U.S.

In all the Iranian-linked groups spent some $12,000 in advertising and hosted 28 different events.

A fourth group that attempted to influence politics in Syria and the Ukraine was connected to sources that Facebook said the U.S. had linked to Russian military intelligence.

“We’re working closely with U.S. law enforcement on this investigation,” Facebook said in a blog post .

In late July, Facebook also removed 32 apparently fake accounts on Facebook and Instagram that collectively had nearly 300,000 followers, including thousands that expressed interest in events they promoted.

  • 0
  • 146

Microsoft’s anti-hacking efforts make it an internet cop

Intentionally or not, Microsoft has emerged as a kind of internet cop by devoting considerable resources to thwarting Russian hackers.

The company’s announcement Tuesday that it had identified and forced the removal of fake internet domains mimicking conservative U.S. political institutions triggered alarm on Capitol Hill and led Russian officials to accuse the company of participating in an anti-Russian “witch hunt.”

Microsoft stands virtually alone among tech companies with an aggressive approach that uses U.S. courts to fight computer fraud and seize hacked websites back. In the process, it has acted more like a government detective than a global software giant.

In the case this week, the company did not just accidentally stumble onto a couple of harmless spoof websites. It seized the latest beachhead in an ongoing struggle against Russian hackers who meddled in the 2016 presidential election and a broader, decade-long legal fight to protect Microsoft customers from cybercrime.

“What we’re seeing in the last couple of months appears to be an uptick in activity,” Brad Smith, Microsoft’s president and chief legal officer, said in an interview this week. Microsoft says it caught these particular sites early and that there’s no evidence they were used in hacking.

The Redmond, Washington, company sued the hacking group best known as Fancy Bear in August 2016, saying it was breaking into Microsoft accounts and computer networks and stealing highly sensitive information from customers. The group, Microsoft said, would send “spear-phishing” emails that linked to realistic-looking fake websites in hopes targeted victims — including political and military figures — would click and betray their credentials.

The effort is not just a question of fighting computer fraud but of protecting trademarks and copyright, the company argues.

One email introduced as court evidence in 2016 showed a photo of a mushroom cloud and a link to an article about how Russia-U.S. tensions could trigger World War III. Clicking on the link might expose a user’s computer to infection, hidden spyware or data theft.

An indictment from U.S. special counsel Robert Mueller has tied Fancy Bear to Russia’s main intelligence agency, known as the GRU, and to the 2016 email hacking of both the Democratic National Committee and Democrat Hillary Clinton’s presidential campaign.

Some security experts were skeptical about the publicity surrounding Microsoft’s announcement, worried that it was an overblown reaction to routine surveillance of political organizations — potential cyberespionage honey pots– that never rose to the level of an actual hack.

The company also used its discovery as an opportunity to announce its new free security service to protect U.S. candidates, campaigns and political organizations ahead of the midterm elections.

But Maurice Turner, a senior technologist at the industry-backed Center for Democracy and Technology, said Microsoft is wholly justified in its approach to identifying and publicizing online dangers.

“Microsoft is really setting the standards with how public and how detailed they are with reporting out their actions,” Turner said.

Companies including Microsoft, Google and Amazon are uniquely positioned to do this because their infrastructure and customers are affected. Turner said they “are defending their own hardware and their own software and to some extent defending their own customers.”

Turner said he has not seen anyone in the industry as “out in front and open about” these issues as Microsoft.

As industry leaders, Microsoft’s Windows operating systems had long been prime targets for viruses when in 2008 the company formed its Digital Crimes Unit, an international team of attorneys, investigators and data scientists. The unit became known earlier in this decade for taking down botnets, collections of compromised computers used as tools for financial crimes and denial-of-service attacks that overwhelm their targets with junk data.

Richard Boscovich, a former federal prosecutor and a senior attorney in Microsoft’s digital crimes unit, testified to the Senate in 2014 about how Microsoft used civil litigation as a tactic. Boscovich is also involved in the fight against Fancy Bear, which Microsoft calls Strontium, according to court filings.

To attack botnets, Microsoft would take its fight to courts, suing on the basis of the federal Computer Fraud and Abuse Act and other laws and asking judges for permission to sever the networks’ command-and-control structures.

“Once the court grants permission and Microsoft severs the connection between a cybercriminal and an infected computer, traffic generated by infected computers is either disabled or routed to domains controlled by Microsoft,” Boscovich said in 2014.

He said the process of taking over the accounts, known as “sinkholing,” enabled Microsoft to collect valuable evidence and intelligence used to assist victims.

In the latest action against Fancy Bear, a court order filed Monday allowed Microsoft to seize six new domains, which the company said were either registered or used at some point after April 20.

Smith said this week the company is still investigating how the newly discovered domains might have been used.

A security firm, Trend Micro, identified some of the same fake domains earlier this year. They mimicked U.S. Senate websites, while using standard Microsoft log-in graphics that made them appear legitimate, said Mark Nunnikhoven, Trend Micro’s vice-president of cloud research.

Microsoft has good reason to take them down, Nunnikhoven said, because they can hurt its brand reputation. But the efforts also fit into a broader tech industry mission to make the internet safer.

“If consumers are not comfortable and don’t feel safe using digital products,” they will be less likely to use them, Nunnikhoven said.

——

Associated Press Technology Writer Frank Bajak in Boston contributed to this report.

  • 0
  • 141