Facebook's parent company Meta said late Sunday that hackers are increasingly targeting Ukrainian military officials and journalists to spread disinformation. Hackers tied to an operation known as "Ghostwriter" compromised some Ukrainian Facebook accounts, but Meta said it wasn't naming the victims to protect their privacy.
"We detected attempts to target people on Facebook and post YouTube videos portraying Ukrainian troops as weak and surrendering to Russia," said David Agranovich, director of global threat disruption at Meta, at a virtual press conference.
The threats underscores the variety of challenges social media companies face as they try to combat false claims about Russia's invasion of Ukraine. Meta added features in Ukraine meant to keep users safe such as the ability to lock their Facebook profile and remove the ability to view and search friends lists. The company, like Twitter, is encouraging users to enable two-factor authentication, an extra layer of security that makes it tougher for hackers to break into accounts.
Ghostwriter typically targets people through email first through tactics such as trying to trick people into clicking on a malicious link to steal their login credentials, Agranovich said. After compromising a target's email, they will then break into people's social media accounts and use those accounts to post disinformation.
Nathaniel Gleicher, who heads Meta's security policy, said as social media users take steps to protect their accounts, they should also think about how their information could get compromised on other apps and devices. Gleicher said Ghostwriter targeted a "small number" of Facebook users but the group is going after valuable targets such as public figures.
Mandiant Threat Intelligence, which has done research on Ghostwriter, said in a report published last year that it found evidence that suggests the operation has ties to a suspected state-sponsored cyber espionage actor called UNC1151. In November, Mandiant Threat Intelligence linked UNC1151 to the Belarusian government.
"We cannot rule out Russian contributions to either UNC1151 or Ghostwriter. However, at this time, we have not uncovered direct evidence of such contributions," Mandiant Threat Intelligence said in a blog post.
The European Union said in a press release in September that some EU member states have associated Ghostwriter with the Russian state.
Fake social media accounts
Meta also pulled down a network of about 40 fake accounts, Pages and Groups on Facebook and Instagram from Russia and Ukraine. The accounts targeted Ukrainians across multiple social networks including on Twitter, YouTube, Telegram, Odnoklassniki and VK. These fake accounts pretended to be news editors, a former aviation engineer and an author of a scientific publication on hydrography (the science of mapping water). They ran fake news websites and published stories that included "claims about the West betraying Ukraine and Ukraine being a failed state," Meta said.
The company said the network of fake accounts didn't have a wide reach. Fewer than 4,000 Facebook accounts followed one of more of these Pages and fewer than 500 accounts followed one or more of the Instagram accounts.
The social media giant shared information about the operation with other tech platforms, researchers and governments.
Social media sites such as Facebook, Twitter, YouTube and TikTok are being flooded with misinformation and disinformation, includingthat use old footage to create a false image of what's happening in real-time.
Meta said it's expanding its third-party fact checking capacity in Russia and Ukrainian, labeling state-controlled media publishers andfrom Russia state media. The company, which owns Facebook, Instagram, Messenger and WhatsApp, said it created a special operations center with experts who speak Ukrainian and Russian to help monitor its platform.
Russia has partly restrictedafter the social network refused to stop fact-checking and label content posted on Facebook by four Russian state-owned media organizations. Russia's telecommunications regulator Roskomnadzor alleges Facebook violated "fundamental human rights" by restricting the country's state-controlled media.
Gleicher said he doesn't have any more information about what restrictions Russia put into place but Meta's teams continue to monitor the situation and "do believe that we're still accessible in [the] country."
On Sunday, Meta said it restricted some accounts, including several run by Russia state media, because the Ukrainian government requested the company do so. The company is reviewing other government requests to do the same in their countries.