Hackers Target Ukrainian Military, Journalists on Facebook

The social media giant said hackers compromised some Ukrainian Facebook accounts to spread disinformation.

Queenie Wong Former Senior Writer
Queenie Wong was a senior writer for CNET News, focusing on social media companies including Facebook's parent company Meta, Twitter and TikTok. Before joining CNET, she worked for The Mercury News in San Jose and the Statesman Journal in Salem, Oregon. A native of Southern California, she took her first journalism class in middle school.
Expertise I've been writing about social media since 2015 but have previously covered politics, crime and education. I also have a degree in studio art. Credentials
  • 2022 Eddie award for consumer analysis
Queenie Wong
3 min read
facebook-logo-cybersecurity

Facebook is encouraging Ukrainians to protect their accounts.

Graphic by Pixabay/Illustration by CNET

Facebook 's parent company Meta said late Sunday that hackers are increasingly targeting Ukrainian military officials and journalists to spread disinformation. Hackers tied to an operation known as "Ghostwriter" compromised some Ukrainian Facebook accounts, but Meta said it wasn't naming the victims to protect their privacy.

"We detected attempts to target people on Facebook and post YouTube videos portraying Ukrainian troops as weak and surrendering to Russia," said David Agranovich, director of global threat disruption at Meta, at a virtual press conference. 

The threats underscores the variety of challenges social media companies face as they try to combat false claims about Russia's invasion of Ukraine. Meta added features in Ukraine meant to keep users safe such as the ability to lock their Facebook profile and remove the ability to view and search friends lists. The company, like Twitter, is encouraging users to enable two-factor authentication, an extra layer of security that makes it tougher for hackers to break into accounts.

Ghostwriter typically targets people through email first through tactics such as trying to trick people into clicking on a malicious link to steal their login credentials, Agranovich said. After compromising a target's email, they will then break into people's social media accounts and use those accounts to post disinformation. 

Nathaniel Gleicher, who heads Meta's security policy, said as social media users take steps to protect their accounts, they should also think about how their information could get compromised on other apps and devices. Gleicher said Ghostwriter targeted a "small number" of Facebook users but the group is going after valuable targets such as public figures.

Mandiant Threat Intelligence, which has done research on Ghostwriter, said in a report published last year that it found evidence that suggests the operation has ties to a suspected state-sponsored cyber espionage actor called UNC1151. In November, Mandiant Threat Intelligence linked UNC1151 to the Belarusian government.

"We cannot rule out Russian contributions to either UNC1151 or Ghostwriter. However, at this time, we have not uncovered direct evidence of such contributions," Mandiant Threat Intelligence said in a blog post.

The European Union said in a press release in September that some EU member states have associated Ghostwriter with the Russian state. 

Fake social media accounts

Meta also pulled down a network of about 40 fake accounts, Pages and Groups on Facebook and Instagram from Russia and Ukraine. The accounts targeted Ukrainians across multiple social networks including on Twitter, YouTube, Telegram, Odnoklassniki and VK. These fake accounts pretended to be news editors, a former aviation engineer and an author of a scientific publication on hydrography (the science of mapping water). They ran fake news websites and published stories that included "claims about the West betraying Ukraine and Ukraine being a failed state," Meta said. 

The company said the network of fake accounts didn't have a wide reach. Fewer than 4,000 Facebook accounts followed one of more of these Pages and fewer than 500 accounts followed one or more of the Instagram accounts. 

The social media giant shared information about the operation with other tech platforms, researchers and governments.

Social media sites such as Facebook, Twitter, YouTube and TikTok are being flooded with misinformation and disinformation, including misleading videos that use old footage to create a false image of what's happening in real-time. 

Meta said it's expanding its third-party fact checking capacity in Russia and Ukrainian, labeling state-controlled media publishers and barring ads from Russia state media. The company, which owns Facebook, Instagram, Messenger and WhatsApp, said it created a special operations center with experts who speak Ukrainian and Russian to help monitor its platform.

Russia has partly restricted access to Facebook after the social network refused to stop fact-checking and label content posted on Facebook by four Russian state-owned media organizations. Russia's telecommunications regulator Roskomnadzor alleges Facebook violated "fundamental human rights" by restricting the country's state-controlled media.

Gleicher said he doesn't have any more information about what restrictions Russia put into place but Meta's teams continue to monitor the situation and "do believe that we're still accessible in [the] country."

On Sunday, Meta said it restricted some accounts, including several run by Russia state media, because the Ukrainian government requested the company do so. The company is reviewing other government requests to do the same in their countries.