Facebook and Twitter shut down hundreds of user accounts tied to Iran and Russia for spreading misinformation.
Facebook, with the help of cybersecurity company FireEye Inc., removed 652 pages, groups and accounts for "inauthentic behavior" this week. In a statement, Facebook's head of cybersecurity policy Nathaniel Gleicher said that the Facebook accounts deleted originated in Iran and targeted people in the Middle East, Latin America, the U.K. and the U.S.
FireEye gave Facebook a tip in July about a network of pages known as "Liberty Front Press" and from that, Facebook was able to identify more pages in the network and attribute them to Iran.
"We are able to link this network to Iranian state media through publicly available website registration information, as well as the use of related IP addresses and Facebook Pages sharing the same admins," Gleicher explained, adding that some of the accounts they looked at were created in 2013. "Some of them attempted to conceal their location, and they primarily posted political content focused on the Middle East, as well as the U.K., U.S., and Latin America. Beginning in 2017, they increased their focus on the U.K. and U.S."
Most of the Facebook accounts deleted were associated with Iran and had been running paid-for ads on both social media platforms for the last six years; some had even hosted events.
"This operation is leveraging a network of inauthentic news sites and clusters of associated accounts across multiple social media platforms to promote political narratives in line with Iranian interests," FireEye Intelligence explained in a blog post. "These narratives include anti-Saudi, anti-Israeli, and pro-Palestinian themes, as well as support for specific U.S. policies favorable to Iran, such as the U.S.-Iran nuclear deal (JCPOA). The activity we have uncovered is significant, and demonstrates that actors beyond Russia continue to engage in and experiment with online, social media-driven influence operations to shape political discourse."
Gleicher said that Facebook is still investigating some of these accounts.
"Since there are US sanctions involving Iran, we've also briefed the US Treasury and State Departments," Gleicher said. "These sanctions allow companies to provide people internet services for personal communications, including the government and its affiliates. But Facebook takes steps to prevent people in Iran and other sanctioned countries from using our ad tools."
Facebook also removed pages, groups and accounts that it had previously identified as being linked to Russian military intelligence services, though they are unrelated to the Iran-linked accounts.
"While these are some of the same bad actors we removed for cybersecurity attacks before the 2016 U.S. election, this more recent activity focused on politics in Syria and Ukraine," Gleicher said. "For example, they are associated with Inside Syria Media Center, which the Atlantic Council and other organizations have identified for covertly spreading pro-Russian and pro-Assad content. To date, we have not found activity by these accounts targeting the U.S."
Following Facebook's announcement that it had taken down these accounts, Twitter said it too had suspended user accounts originating from Iran for "engaging in coordinated manipulation."
Working with our industry peers today, we have suspended 284 accounts from Twitter for engaging in coordinated manipulation. Based on our existing analysis, it appears many of these accounts originated from Iran.— Twitter Safety (@TwitterSafety) August 22, 2018
Alphabet Inc. also reportedly shut down accounts tied to Iran for running propaganda operations on Google Plus and YouTube.
In other news
- North Korean hackers are reportedly exploiting a recently patched vulnerability in Microsoft's VBScript engine. VBScript is available in the newest versions of Window and Internet Explorer, though Microsoft disabled it in default to mitigate this vulnerability. However, security researchers at Trend Micro discovered the vulnerability, tracked as CVE-2018-8373, being exploited in the wild the day after Microsoft's July Patch Tuesday. The vulnerability is a use-after-free memory corruption flaw that enables hackers to run shellcode on targeted systems. The researchers then noticed similarities between this flaw and one called Double Kill that was reported earlier in the year by Qihoo 360, the Chinese cybersecurity company. Through analysis of both exploits, they were determined to be from the same threat actor, an advanced persistent threat group known as Darkhotel. Kaspersky Lab discovered Darkhotel in 2014 and found it has ties to North Korea.
- A group of security professionals built a malicious USB charging cable that can compromise computers it is plugged into. The research was done by Olaf Tan and Dennis Goh of RFID Research Group, Vincent Yiu of Syon Security, and Kevin Mitnick. They call the USB cable USBHarpoon and the proof of concept was based on previous research called BadUSB from Karsten Nohl at Security Research Labs. Nohl's research found that hackers can reprogram controller chips in USB drives to make it seem like a human interface drive and then run commands on whatever system it's plugged into. USBHarpoon is similar, but instead of USB drives, it works with USB charging cables. The cable will still perform its normal functions, but it also performs malicious activity.
- A new type of ransomware called Ryuk has reportedly been infecting systems since Aug. 13. Independent security researcher MalwareHunter tweeted about it last week, having affected five companies in only a few days. Research from Check Point found that Ryuk is similar to the Hermes ransomware, which is attributed to the North Korean Lazarus Group. Check Point also noted that Ryuk, unlike most ransomware, is used "exclusively for tailored attacks" rather than through wide-reaching spam campaigns. But Ryuk's "encryption scheme is intentionally built for small-scale operations, such that only crucial assets and resources are infected in each targeted network with its infection and distribution carried out manually by the attackers," Check Point said. The hackers behind this ransomware campaign have already been profitable, reportedly making over $640,000 worth of bitcoin from companies who have paid the ransom.