- We took down a network run by people in Russia and Ukraine targeting Ukraine for violating our policy against coordinated inauthentic behavior. They ran websites posing as independent news entities and created fake personas across social media platforms including Facebook, Instagram, Twitter, YouTube, Telegram and also Russian Odnoklassniki and VK.
- In the past few days, we’ve seen increased targeting of people in Ukraine, including Ukrainian military and public figures by Ghostwriter, a threat actor that has been tracked for some time by the security community.
- We continue to roll out privacy and security measures to help people in Ukraine and Russia protect their accounts from being targeted.
In response to Russia’s invasion of Ukraine, our teams have been on high alert to identify emerging threats and respond as quickly as we can. Here are a few updates on our security work.
Coordinated Inauthentic Behavior
In the last 48 hours, we uncovered a relatively small network of about 40 accounts, Pages and Groups on Facebook and Instagram. They were operated from Russia and Ukraine and targeted people in Ukraine across multiple social media platforms and through their own websites. We took down this operation, blocked their domains from being shared on our platform, and shared information with other tech platforms, researchers and governments. When we disrupted this network on our platform, it had fewer than 4,000 Facebook accounts following one of more of its Pages and fewer than 500 accounts following one or more of its Instagram accounts.
This network used fake accounts and operated fictitious personas and brands across the internet — including on Facebook, Instagram, Twitter, YouTube, Telegram, Odnoklassniki and VK — to appear more authentic in an apparent attempt to withstand scrutiny by platforms and researchers. These fictitious personas used profile pictures likely generated using artificial intelligence techniques like generative adversarial networks (GAN). They claimed to be based in Kyiv and posed as news editors, a former aviation engineer, and an author of a scientific publication on hydrography — the science of mapping water. This operation ran a handful of websites masquerading as independent news outlets, publishing claims about the West betraying Ukraine and Ukraine being a failed state.
Our investigation is ongoing, and so far we’ve found links between this network and another operation we removed in April 2020, which we then connected to individuals in Russia, the Donbass region in Ukraine and two media organizations in Crimea — NewsFront and SouthFront, now sanctioned by the US government.
Hacking Attempts by Ghostwriter
In the past several days, we’ve seen increased targeting of people in Ukraine, including Ukrainian military and public figures by Ghostwriter, a threat actor that has been tracked for some time by the security community.
Ghostwriter typically targets people through email compromise and then uses that to gain access to their social media accounts and post disinformation as if it’s coming from the legitimate account owners. We detected attempts to target people on Facebook to post YouTube videos portraying Ukrainian troops as weak and surrendering to Russia, including one video claiming to show Ukrainian soldiers coming out of a forest while flying a white flag of surrender. We’ve taken steps to secure accounts that we believe were targeted by this threat actor and, when we can, to alert the users that they had been targeted. We also blocked phishing domains these hackers used to try to trick people in Ukraine into compromising their online accounts.
We’re recommending that people in Ukraine and Russia take steps to strengthen the security of their online accounts to protect themselves from being targeted by threat actors.
We encourage people to use caution when accepting friend requests and opening links and files from people they don’t know. Please refrain from reusing the same passwords across different services to prevent malicious hackers from gaining access to your information. We also strongly recommend using two-factor authentication on all online accounts.
Earlier this week, we rolled out additional privacy and security protections in Ukraine. We’re now adding them in Russia as well, in response to public reports of targeting of civil society and protesters.
- Lock Your Profile: This tool allows people to lock their Facebook profile in one step. When someone’s profile is locked, people who aren’t their friends can’t download, enlarge or share their profile photo, nor can they see posts or other photos on someone’s profile, regardless of when they posted it. Our teams are working with civil society organizations to help ensure people know these tools are available.
- Friends Lists: We’re temporarily removing the ability to view and search the friends lists of Facebook accounts to help protect people from being targeted.
- Instagram Privacy and Security Reminders: On Instagram, we’re sending everyone in Russia a notification at the top of feed about privacy and account security. For public accounts, we are reminding people to check their settings in case they want to make their accounts private. When someone makes their account private, any new followers will need to be approved, and only their followers will be able to see their posts and stories. For people who already have private accounts, we’re sharing tips on how to keep their account secure through strong passwords and two-factor authentication.
We continue to add measures to help protect people’s privacy and security and will share these updates publicly. Read more about Meta’s ongoing efforts regarding Russia’s invasion of Ukraine.