Skip to main content

Facebook exposes Iranian network engaged in co-ordinated misinformation, some targeting Brexit

Social media firms are battling a new foe in their attempts to protect the integrity of their platforms from political interference as they try to prevent further scrutiny from the U.S. and other governments. Facebook and Twitter say Iranian government-backed actors were behind a sprawling network of hundreds of accounts, pages and posts engaged in a co-ordinated misinformation campaign targeting users across the globe.

Facebook Inc. said it had removed more than 650 pages, accounts and thousands of dollars in advertisements linked to Iran that had spread inauthentic news supporting Tehran’s political interests in multiple languages aimed at users in the United States, Britain, the Middle East and Latin America. The social-media giant also removed inauthentic pages and accounts linked to Russian military intelligence services it said were part of a separate campaign spreading pro-Russian views on Syria and Ukraine. Twitter Inc. said it removed 280 accounts linked to an Iranian misinformation campaign, while Alphabet Inc. removed one Iranian-backed account on YouTube.

The revelations come as Facebook is struggling to protect its platform against abuse after it was criticized for being slow to identify Russian tampering in the 2016 U.S. presidential election and for not preventing user data from being improperly shared with political consultancy Cambridge Analytica. The details of the new political interference operations underscore the vast reach of state-sponsored propaganda efforts on social media.

Story continues below advertisement

Many of the accounts and pages were linked to a network called Liberty Front Press, which often posed as legitimate media sites or civil organizations to spread information supportive of Tehran’s interests, Facebook said early on Wednesday. The posts included anti-Israel messages along with posts aimed at anti-Brexit voters and supporters of British Opposition Leader Jeremy Corbyn. Pages also targeted U.S. Facebook users with posts critical of the U.S.-Iran nuclear deal and accounts posing as supporters of U.S. Senator Bernie Sanders that were heavily promoting Quds Day, the Iranian-led holiday in support of displaced Palestinians.

The network of accounts and pages had hundreds of thousands of followers on Facebook and Instagram. The Iranian-linked network also organized at least 28 events on Facebook, although company officials declined to provide any information about the events, saying they were still under investigation. Some of the accounts also engaged in more traditional cyberattacks, such as attempting to hack into users’ accounts or spread malware.

Unlike efforts by Russian trolls to spread political divisive news ahead of recent U.S. elections however, the Iranian propaganda efforts did not seem to primarily be targeting the coming November U.S. midterms, said FireEye, the California-based cybersecurity firm that tipped Facebook to the links with Iran last month. Instead, the campaign aimed to advance Iranian interests far beyond the United States – to social media users in the Middle East, Latin America and Britain.

“These operations extend well beyond those conducted by Russia,” FireEye analysts wrote on a blog posted on the company’s website on Tuesday night. “Our investigation also illustrates how the threat posed by such influence operations continues to evolve, and how similar influence tactics can be deployed irrespective of the particular political or ideological goals being pursued.”

Security experts say that while Iran’s cyberwarfare capabilities remain rudimentary compared with Russia or China, the country’s computer attacks and social-media espionage campaigns are growing increasingly sophisticated.

Last year, FireEye analysts uncovered a campaign dubbed APT 35, or Newscaster, by Iranian hackers who created fake journalist accounts on social media.

“We believe that Iran will continue working to penetrate U.S. and Allied networks for espionage and to position itself for potential future cyber attacks,” Michael Moss, deputy director of the U.S. Cyber Threat Intelligence Integration Center, told the Senate Judiciary Committee in prepared remarks on Tuesday. “Tehran probably views cyberattacks as a versatile tool to respond to perceived provocations, despite Iran’s recent restraint from conducting cyberattacks against the U.S. or Western allies.”

Story continues below advertisement

FireEye said it first spotted the most recent Iranian social media campaign after it noticed that e-mail addresses used to create known Iranian websites Yemenshia.com and Gahvare.com were also responsible for registering a network of websites with names such as “Real Progressive Front,” “Britishleft.com” and “USJournal.net” that contained a mix of fake news content and real news articles that were sometimes altered.

Analysts also identified multiple Twitter accounts affiliated with the sites that were linked to phone numbers with Iran’s “98” country code.

Facebook said it was able to link the Liberty Front Press to Iranian state media through website registration information, IP addresses and common page administrators.

Among pages it flagged was “Quest 4 Truth,” which claimed to be an independent Iranian media organization, but was linked to Press TV, an English-language network affiliated with Iranian state-owned media.

Some of the Iranian-linked accounts and pages were created as far back as 2011 and initially focused mainly on sharing content about Middle Eastern politics in Arabic and Farsi, although it also published posts in English aimed at U.S. and British users, including ads for a site called “Free Scotland 2014.”

The social media firm said it first became aware of some of the posts last August, but had wrestled internally with whether to remove them immediately or monitor the activity to better understand it and provide more useful information to outside experts and law enforcement agencies.

Story continues below advertisement

“When we reach a point where our analysis is turning up little new information, we’ll take down a campaign, knowing that more time is unlikely to bring us more answers,” Facebook’s director of security Chad Greene wrote on the company’s blog. “But if we’re still learning as we dig deeper, we’ll likely hold off on taking any action that might tip off our adversary and prompt them to change course.”

Report an error Editorial code of conduct
Comments

Welcome to The Globe and Mail’s comment community. This is a space where subscribers can engage with each other and Globe staff. Non-subscribers can read and sort comments but will not be able to engage with them in any way. Click here to subscribe.

If you would like to write a letter to the editor, please forward it to letters@globeandmail.com. Readers can also interact with The Globe on Facebook and Twitter .

Welcome to The Globe and Mail’s comment community. This is a space where subscribers can engage with each other and Globe staff. Non-subscribers can read and sort comments but will not be able to engage with them in any way. Click here to subscribe.

If you would like to write a letter to the editor, please forward it to letters@globeandmail.com. Readers can also interact with The Globe on Facebook and Twitter .

Welcome to The Globe and Mail’s comment community. This is a space where subscribers can engage with each other and Globe staff.

We aim to create a safe and valuable space for discussion and debate. That means:

  • All comments will be reviewed by one or more moderators before being posted to the site. This should only take a few moments.
  • Treat others as you wish to be treated
  • Criticize ideas, not people
  • Stay on topic
  • Avoid the use of toxic and offensive language
  • Flag bad behaviour

Comments that violate our community guidelines will be removed. Commenters who repeatedly violate community guidelines may be suspended, causing them to temporarily lose their ability to engage with comments.

Read our community guidelines here

Discussion loading ...

Due to technical reasons, we have temporarily removed commenting from our articles. We hope to have this fixed soon. Thank you for your patience. If you are looking to give feedback on our new site, please send it along to feedback@globeandmail.com. If you want to write a letter to the editor, please forward to letters@globeandmail.com.
Cannabis pro newsletter