For a long time active in detecting and defending hacking attempts and all kinds of malware, security companies have extended their focus to the disinformation campaigns that have plagued Facebook and other social media in recent years.
SAN FRANCISCO – FireEye, a cybersecurity company involved in a number of prominent investigations, including the 2016 attack on the Democratic National Committee, told Facebook in July that it had a problem.
Company security analysts noticed a cluster of non-authentic accounts and pages on Facebook that share content from a site called Liberty Front Press. It looked like a news site, but most of the content was stolen from outlets such as Politico and CNN. The small amount of original material is written in choppy English.
FireEye's tip eventually led Facebook to delete 652 false accounts and pages. And Liberty Front Press, the common thread among much of that sham activity, was linked to state media in Iran, Facebook said Tuesday.
Facebook's latest cleansing of disinformation from its platforms emphasized the key role that cybersecurity outfits play in checking the pages of giant social media platforms. For all their wealth and staff, companies like Facebook often rely on external companies and researchers for their expertise.
Most read business stories
The discovery of the disinformation campaign also meant a shift in the bad behavior that independent security companies watched. For a long time active in detecting and defending hacking attempts and all kinds of malware, security companies have extended their focus to the disinformation campaigns that have plagued Facebook and other social media in recent years.
FireEye was founded in Milpitas, California in 2004 and has approximately 3,000 employees, a fraction of Facebook. But it uses security analysts with specific skills, including employees who speak English, Arabic, Russian, French and Italian fluently, enabling them to identify and track misinformation around the world.
Lee Foster, manager of FireEye's information operations analysis team, described in an interview with The New York Times how his company saw the Iranian disinformation campaign. He refused to say whether his research was on behalf of a particular customer because FireEye has a policy against naming with whom it works.
"It started with a single social media account or a small set of accounts that pushed this content with a political theme that did not necessarily seem consistent with the persona's who had adopted the accounts," Foster said. Many of the fake accounts that stretched across Facebook, Instagram, Twitter and Reddit shared Liberty Front Press content.
For more than two months, Foster and a small group of analysts charted the connections between the accounts and discovered more of them.
The evidence pointed to Iran. A Liberty Front Press website was originally registered for an e-mail linked to ads for web designers in Tehran before it was transferred to a registrant who had presumably settled in San Jose, California.
The e-mail from the web designer was also used to register another news site. That site was in turn connected to a number of e-mail addresses that were linked to even more non-authentic news sites. Deeper digging, FireEye discovered that many of the Twitter accounts that linked Liberty Front Press content were connected to Iranian phone numbers, although the profiles claimed to be active in the US.
Steps from fake news site to news site and from Twitter to Facebook, FireEye merged a campaign that tried to influence the public in the Middle East, as well as in the United States, Great Britain and Latin America.
The analysts were careful to collect data without being noticed. "I have to be aware that I have to sell the operators," Foster said. "I want to be sure that I have everything, so we do not treat one small part of the threat and we discover that there is a completely different cluster."
The cyber capacities of Iran have grown in recent years and Iranian hackers have been blamed for a number of major attacks. Earlier this year, federal law enforcement officials said nine Iranians were behind intrusions at US government agencies, universities, and corporations.
It has been difficult to assign attacks to Iran. Security experts who have studied Iranian hackers said that many participate in attacks or disinformation campaigns while they are still at university. They are often recruited for government work, but can also drive in and out of government-backed contracts.
These loose connections make it difficult to identify which attacks are being controlled by the Iranian authorities.
FireEye's information calculated Facebook's own research, which revealed three other Iranian disinformation efforts and another that appeared to have arisen in Russia.
One of the Iranian campaigns that Facebook discovered was based on a mix of misinformation and more traditional hacking, wrote Nathaniel Gleicher, head of the cybersecurity policy of Facebook, in a blog post.
"They usually posed as news organizations and did not reveal their true identity," he said. "They were also involved in traditional cybersecurity attacks, including attempts to hack people's accounts and spread malware, which we had seen and disrupted before."
The Russian pages that Facebook discovered were not related to the FireEye survey. Facebook said the accounts were linked to people who had identified law enforcement in the United States as Russian military intelligence. Unlike other fake pages that were attributed to Russians in the past year, those accounts placed content focused on politics in Syria and Ukraine.
An attack on the computer network of Sony by North Korean hackers in 2014 brought cybersecurity companies to the attention that they had to pay more attention to information warfare. Sony's intrusion was destructive for technical systems, "but there was more to it than that," Foster said. "It was about conveying a message and trying to influence an audience."
Over time, "we realized that there was a greater potential threat that we needed to address," he added.
The Sony attack was also a game changer for governments and other large corporations, said Graham Brookie, director of the Digital Forensic Research Lab of the Atlantic Council, who analyzed wrong information on Facebook. Thousands of embarrassing e-mails between Sony executives were dumped online. The hackers also stole employees' personal data and wiped Sony's servers.
The incident prompted officials in the United States to prepare protocols for sharing information about cybersecurity threats and influencing operations, Brookie said.
Because internet stores have trouble keeping up with influence campaigns, Foster is of the opinion that complex disinformation schemes are more common.
"What's great to show is that it really does not matter what the political goals or ideological goals are, these techniques are seen as an attractive way to try to reach them," Foster said.