Facebook, Twitter, and Google’s security teams are staying busy.
All three companies reported this week that they had removed malicious items from their platforms that had originated in Iran — Facebook took down 652 Pages, groups and accounts, Twitter removed 284 accounts and Google disabled a total 42 YouTube channels, 16 Google+ accounts, six Blogger accounts and three Gmail accounts.
Twitter disclosed minimal information about the accounts it removed, only sharing the following tweets from the @TwitterSafety handle:
As with prior investigations, we are committed to engaging with other companies and relevant law enforcement entities. Our goal is to assist investigations into these activities and where possible, we will provide the public with transparency and context on our efforts.
— Twitter Safety (@TwitterSafety) August 22, 2018
Facebook and Google gave more information around the malicious activity they discovered on their platforms, with Facebook offering up examples of posts that had been distributed by the bad actors, along with an overview from its director of security explaining how the company responds to cyber threats.
What Google found
Working with outside cybersecurity firms Jigsaw and FireEye, Google’s SVP of global affairs, Kent Walker, reported the company disabled three email accounts, three YouTube channels and three Google accounts attached to state-sponsored actors outside of the US who were targeting political campaigns, journalists, activists and academics.
Google also named the Islamic Republic of Iran Broadcasting (IRIB) as the group behind the 39 YouTube channels it removed, along with six Blogger accounts and 13 Google+ accounts. Google says the YouTube channels had accumulated a total of 13,466 views within the US, and that there was evidence IRIB’s attack operations go back to at least January 2017. It also has evidence of attacks by other Iranian forces that go back as far as 2011 and 2013.
“The state-sponsored phishing attacks, and the actors associated with the IRIB that we’ve described above, are clearly not the only state-sponsored actors at work on the Internet,” writes Walker. “For example, last year we disclosed information about actors linked to the Internet Research Agency (IRA). Since then, we have continued to monitor our systems, and broadened the range of IRA-related actors against whom we’ve taken action.”
The 652 accounts removed by Facebook
Facebook, which also worked with FireEye, a cybersecurity firm, released the most information around the attacks it discovered on its platform and Instagram, breaking down its investigation into four parts.
The first three parts of the investigation involved Pages, groups and accounts identified as “Liberty Front Press” and “Quest 4 Truth” — both powered by Iranian media organizations. The attacks had included campaigns to distribute malicious content, create fake Events and attempts to hack Facebook user accounts and spread malware.
The fourth part of the investigation, which was unrelated to the Iranian groups, included the removal of Pages, groups and accounts attached to a Russian military intelligence service.
The 652 Pages, groups and accounts that Facebook took down had a total of 983,000 followers and had spent more than $12,000 on advertising.
Here are a few examples of the malicious content posted on Facebook and shared in the UK and the US:
Facebook says it found evidence of attacks going all the way back to 2011 and as recently as this year.
From Facebook’s head of cybersecurity policy, Nathaniel Gleicher:
The first “Liberty Front Press” accounts we’ve found were created in 2013. Some of them attempted to conceal their location, and they primarily posted political content focused on the Middle East, as well as the UK, US, and Latin America. Beginning in 2017, they increased their focus on the UK and US. Accounts and Pages linked to “Liberty Front Press” typically posed as news and civil society organizations sharing information in multiple countries without revealing their true identity.
Facebook Director of Security Chad Greene discussed the dilemma with cybersecurity threats faced by Facebook and other platforms.
From Greene’s comments on the recent attacks:
As soon as a cyber threat is discovered, security teams face a difficult decision: when to take action. Do we immediately shut down a campaign in order to prevent harm? Or do we spend time investigating the extent of the attack and who’s behind it so we can prevent them from doing bad things again in the future?
Greene says his team focuses on how active the threat is, how sophisticated the actors involved are, how much harm is being done — and how the threat plays into world events. He referenced the 32 Pages taken down in July that were removed because an Event promoted by the bad actors was approaching, and the team had to act fast to avoid the possibility of physical harm coming to any users that may have planned to attend.
Greene says in other cases, they delay action to learn as much as they can from the forces behind the malicious content.
Facebook, along with Twitter and Google, is also working with US intelligence agencies to safeguard their platforms. Greene mentioned that Facebook often shares its intelligence with other companies once it has “a basic grasp of what’s happening.”
While none of the companies — Facebook, Twitter or Google — named the others in their announcements this week covering the most recent attacks, it’s obvious that information was being shared among the three to collect as much data as possible about the bad actors who were exposed as engaging in activities from Iran.