Facebook Shuts Down Pro-Russian Network, Ukraine Account Hijacks


Meta Platforms Inc. found and disabled a disinformation network that operated accounts, groups and pages targeting Ukraine across its social networks, the company said late Sunday. 

The company also identified a number of Ukrainian public figures whose accounts were compromised by Ghostwriter, a known threat actor with a history of spreading Kremlin-friendly propaganda.

Meta has seen an uptick in targeting of Ukrainian users with disinformation and attempts to hijack accounts over the past few days as the nation grapples with an invasion by Russian military forces. With the conflict taking center stage in global news, Meta has “amplified” its cybersecurity team with a special operations center and is “taking rapid and proactive steps to change the situation on-platform and make things safer,” Nathaniel Gleicher, its head of security policy, said on a conference call.

The Facebook operator identified a breach of its coordinated inauthentic behavior (CIB) policy over the past 48 hours that manifested in fake personas posting links and content suggesting Western nations had betrayed Ukraine or that Ukraine was a failed state. The cross-platform operation spanned Twitter, Alphabet Inc.’s YouTube, Telegram and Russian social network VK as well as websites posing as independent news outlets. The fake accounts claimed to be based in Kyiv and included fictitious news editors and a former aviation engineer, while their profile photos appeared to have been generated with the help of artificial intelligence software, the company said.

Meta coordinated with other social networks and disrupted the campaign when its Facebook pages had fewer than 4,000 followers and its reach on Instagram was at less than 500 followers. The company isn’t attributing the action to Russia directly, but it said it identified similarities to an April 2020 CIB network that it connected with individuals in Russia and the contested Donbas region in Ukraine as well as Crimea.

The Ghostwriter attacks successfully compromised “a handful” of Ukrainian accounts, Gleicher said. The group, which previously was alleged to be involved in trying to sway voters in Germany’s election, works by targeting a small number of high-profile users and attempting to obtain their login credentials in order to use their social accounts to spread disinformation.

One of the pieces of content it sought to post was a YouTube video supposedly showing Ukrainian soldiers waving a white flag and surrendering to Russian troops. Facebook’s security team secured the affected accounts and alerted targeted users, though the company declined to identify any of the people affected.

Facebook continues to be accessible within Russia, according to its security chief, though it’s aware of reports that the country’s regulators may throttle or take its services offline after it rejected requests to block content within its borders.