Following more than a year of unrelenting focus on Russian cyber attacks on Silicon Valley giants, Facebook and Twitter announced Tuesday night that they’ve now also thwarted a network of suspicious accounts that appear to originate in Iran.
First, Facebook announced it had taken down 652 pages, groups, and accounts for “coordinated inauthentic behavior.” Less than an hour after Facebook went public with the news, Twitter announced in a brief series of tweets that, working with “industry partners,” it had shut down 284 accounts, many of which it said were from Iran.
The news is a reminder of the broad scope of potential adversaries targeting American tech companies. But it simultaneously signals a strengthening alliance between those companies, which have begun proactively sharing the details of their investigations with other tech giants.
On a call with reporters Tuesday night, Facebook executives including CEO Mark Zuckerberg described a multi-pronged investigation that unearthed several networks of bad actors. Some were associated with Russia, but others were affiliated with Iranian state media. “These were networks of accounts that were misleading people about who they were and what they were doing,” Zuckerberg explained. “People need to be able to trust the connections they make on Facebook.”
The company credits the cybersecurity firm FireEye with detecting one group called Liberty Front Press, which was connected with several accounts and pages. They often posed as news organizations and civil society groups, but using publicly available website registration information and IP addresses, Facebook researchers found that the group was actually affiliated with Iranian state media. All in, more than 200,000 users followed at least one of these accounts or pages across Facebook and Instagram. Facebook didn’t respond to WIRED’s request for comment about whether any of these users had been notified.
In its own blog post Tuesday, FireEye cautioned that identifying the origins of these groups can be difficult, due to the nature of their activities, but said they had “moderate confidence” in their assessment about Iranian involvement. The post included a labyrinthine illustration that maps out the web of different pages and their web of promotion. According to FireEye, the network promoted issues that aligned with Iranian interests. Among the striking details they discovered were “inauthentic social media personas, masquerading as American liberals supportive of U.S. Senator Bernie Sanders, heavily promoting Quds Day, a holiday established by Iran in 1979 to express support for Palestinians and opposition to Israel.”
In addition to the Liberty Front Press network, Facebook found another set of accounts and pages posing as news organizations that the company says had “links” to the Liberty Front Press group. But this network launched more traditional attacks, attempting to hack into other Facebook users’ accounts and spread malware. Facebook says it’s working with law enforcement on further investigating its findings.
The cyberthreat posed by Iran has been the subject of concern in intelligence circles for years. But when the US reached a deal with the country in 2015, which lifted key sanctions, Iran’s cyber attacks seemed to have subsided. Meanwhile, the threat Russia posed only grew in the public consciousness after the 2016 election, when Russian actors hacked into the Democratic National Committee and Hillary Clinton’s campaign chair’s emails, while also carrying out an influence campaign across nearly every social media platform. And yet, lawmakers have recently cautioned against taking an overly myopic view of the scope of cyber threats facing the tech sector.
During a hearing on Capitol Hill on Tuesday, just hours before Facebook’s announcement, Democratic senator Richard Blumenthal warned, forebodingly, “Until there’s real action, Vladimir Putin will operate with impunity, and he will continue to use a playbook which becomes the same playbook used by other countries, notably Iran. I believe there will be news about Iranian aggression in the cyber domain.”
Following Facebook’s disclosure, Democratic senator Mark Warner said in a statement, “I’ve been saying for months that there’s no way the problem of social media manipulation is limited to a single troll farm in St. Petersburg, and that fact is now beyond a doubt.”
Facebook’s discovery underscores the level of vigilance required to detect threats from multiple state actors at once, even as the company tries to find and memorize the fingerprints others have left behind. In addition to the two networks associated with Liberty Front Press, the company also detected a suspicious network that shared content about Middle East politics in Arabic and Farsi, and also shared content about the United States and United Kingdom in English. These 168 pages and 140 accounts racked up 823,000 followers across Facebook and Instagram. This group also ran $6,000 worth of ads, the oldest of which ran in 2012. Despite signals indicating these accounts and pages were connected, they “were not presenting a coordinated front in how they identified themselves,” Nathaniel Gleicher, Facebook’s head of cybersecurity policy, said on the press call.
Facebook noted that it also shut down additional accounts and pages associated with Russian military intelligence, but the company was light on details about what this group shared or how many Facebook users followed them. The company was also reluctant to blame Russia for another suspicious network it shut down at the end of July, saying that all of these investigations are still ongoing.
In his remarks to reporters, Zuckerberg continually stressed the need for tech companies and government agencies to work together to investigate and prevent these threats. His sentiment echoed Microsoft CEO Brad Smith, who earlier Tuesday also called on the government to act when he announced that Microsoft had thwarted a series of Russian cyber attacks on political groups in the United States.
“No one company can win this fight on its own,” Zuckerberg said.